Edit tour

Windows Analysis Report
Xzm9fAfKhB.exe

Overview

General Information

Sample name:	Xzm9fAfKhB.exe renamed because original name is a hash value
Original sample name:	d9cd9f798cb8012ce2834ac5e21ed371.exe
Analysis ID:	1524740
MD5:	d9cd9f798cb8012ce2834ac5e21ed371
SHA1:	a6879cd6c787a50e5f0168ecf6caddc4a0b4a822
SHA256:	e91f69194702e3b8568ba1c3db43fd187118e1fdabfb6eaef764feff8057c608
Tags:	exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Socks5Systemz

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Socks5Systemz

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Machine Learning detection for dropped file

PE file has a writeable .text section

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Xzm9fAfKhB.exe (PID: 4800 cmdline: "C:\Users\user\Desktop\Xzm9fAfKhB.exe" MD5: D9CD9F798CB8012CE2834AC5E21ED371)

Xzm9fAfKhB.tmp (PID: 64 cmdline: "C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp" /SL5="$203DC,8066431,54272,C:\Users\user\Desktop\Xzm9fAfKhB.exe" MD5: 16C9D19AB32C18671706CEFEE19B6949)

zextervideocodec32_64.exe (PID: 6236 cmdline: "C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe" -i MD5: 96504F6C70AD91FDC3D32BF7C3FA2696)

cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["ebirbqi.ua"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000003.00000002.3386241526.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: zextervideocodec32_64.exe PID: 6236	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Suricata Signatures

ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T08:40:03.557729+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49719	185.208.158.248	80	TCP
2024-10-03T08:40:03.909597+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49719	185.208.158.248	80	TCP
2024-10-03T08:40:04.779447+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49720	185.208.158.248	80	TCP
2024-10-03T08:40:05.143029+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49720	185.208.158.248	80	TCP
2024-10-03T08:40:05.951562+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49721	185.208.158.248	80	TCP
2024-10-03T08:40:06.298863+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49721	185.208.158.248	80	TCP
2024-10-03T08:40:06.641793+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49721	185.208.158.248	80	TCP
2024-10-03T08:40:08.480326+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49722	185.208.158.248	80	TCP
2024-10-03T08:40:09.298643+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49723	185.208.158.248	80	TCP
2024-10-03T08:40:09.646073+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49723	185.208.158.248	80	TCP
2024-10-03T08:40:10.475796+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49725	185.208.158.248	80	TCP
2024-10-03T08:40:11.291408+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49726	185.208.158.248	80	TCP
2024-10-03T08:40:12.100767+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49727	185.208.158.248	80	TCP
2024-10-03T08:40:13.668740+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49728	185.208.158.248	80	TCP
2024-10-03T08:40:14.021882+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49728	185.208.158.248	80	TCP
2024-10-03T08:40:14.854908+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49729	185.208.158.248	80	TCP
2024-10-03T08:40:15.683032+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49730	185.208.158.248	80	TCP
2024-10-03T08:40:16.486986+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49731	185.208.158.248	80	TCP
2024-10-03T08:40:16.829817+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49731	185.208.158.248	80	TCP
2024-10-03T08:40:17.173081+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49731	185.208.158.248	80	TCP
2024-10-03T08:40:18.004594+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49732	185.208.158.248	80	TCP
2024-10-03T08:40:18.836718+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49733	185.208.158.248	80	TCP
2024-10-03T08:40:19.657844+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49734	185.208.158.248	80	TCP
2024-10-03T08:40:20.004208+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49734	185.208.158.248	80	TCP
2024-10-03T08:40:20.809757+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49735	185.208.158.248	80	TCP
2024-10-03T08:40:21.156403+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49735	185.208.158.248	80	TCP
2024-10-03T08:40:21.502908+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49735	185.208.158.248	80	TCP
2024-10-03T08:40:22.341955+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49736	185.208.158.248	80	TCP
2024-10-03T08:40:22.693294+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49736	185.208.158.248	80	TCP
2024-10-03T08:40:23.674627+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49737	185.208.158.248	80	TCP
2024-10-03T08:40:24.482732+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49738	185.208.158.248	80	TCP
2024-10-03T08:40:24.980157+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49738	185.208.158.248	80	TCP
2024-10-03T08:40:25.798356+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49739	185.208.158.248	80	TCP
2024-10-03T08:40:26.606860+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49740	185.208.158.248	80	TCP
2024-10-03T08:40:26.953733+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49740	185.208.158.248	80	TCP
2024-10-03T08:40:27.298083+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49740	185.208.158.248	80	TCP
2024-10-03T08:40:27.641462+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49740	185.208.158.248	80	TCP
2024-10-03T08:40:28.465099+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49741	185.208.158.248	80	TCP
2024-10-03T08:40:30.265711+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49742	185.208.158.248	80	TCP
2024-10-03T08:40:31.104830+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49743	185.208.158.248	80	TCP
2024-10-03T08:40:32.078905+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:32.454570+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:32.798274+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:33.141264+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:33.485451+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:33.834878+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:34.298286+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:34.648536+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:35.454533+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49745	185.208.158.248	80	TCP
2024-10-03T08:40:35.798624+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49745	185.208.158.248	80	TCP
2024-10-03T08:40:36.145125+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49745	185.208.158.248	80	TCP
2024-10-03T08:40:36.957264+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49746	185.208.158.248	80	TCP
2024-10-03T08:40:37.775736+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49748	185.208.158.248	80	TCP
2024-10-03T08:40:38.577743+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49749	185.208.158.248	80	TCP
2024-10-03T08:40:38.922676+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49749	185.208.158.248	80	TCP
2024-10-03T08:40:39.790336+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49750	185.208.158.248	80	TCP
2024-10-03T08:40:40.601299+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49751	185.208.158.248	80	TCP
2024-10-03T08:40:41.422965+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49752	185.208.158.248	80	TCP
2024-10-03T08:40:41.770339+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49752	185.208.158.248	80	TCP
2024-10-03T08:40:42.584993+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49753	185.208.158.248	80	TCP
2024-10-03T08:40:43.426932+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49754	185.208.158.248	80	TCP
2024-10-03T08:40:44.232887+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49755	185.208.158.248	80	TCP
2024-10-03T08:40:44.580361+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49755	185.208.158.248	80	TCP
2024-10-03T08:40:44.974483+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49755	185.208.158.248	80	TCP
2024-10-03T08:40:45.788468+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49756	185.208.158.248	80	TCP
2024-10-03T08:40:46.620773+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49757	185.208.158.248	80	TCP
2024-10-03T08:40:47.429110+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49758	185.208.158.248	80	TCP
2024-10-03T08:40:48.250966+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49759	185.208.158.248	80	TCP
2024-10-03T08:40:48.821744+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49759	185.208.158.248	80	TCP
2024-10-03T08:40:49.636214+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49760	185.208.158.248	80	TCP
2024-10-03T08:40:50.436319+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49761	185.208.158.248	80	TCP
2024-10-03T08:40:50.782549+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49761	185.208.158.248	80	TCP
2024-10-03T08:40:51.125825+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49761	185.208.158.248	80	TCP
2024-10-03T08:40:51.469860+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49761	185.208.158.248	80	TCP
2024-10-03T08:40:52.430506+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49762	185.208.158.248	80	TCP
2024-10-03T08:40:53.235582+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49763	185.208.158.248	80	TCP
2024-10-03T08:40:53.580693+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49763	185.208.158.248	80	TCP
2024-10-03T08:40:53.923676+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49763	185.208.158.248	80	TCP
2024-10-03T08:40:54.270652+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49763	185.208.158.248	80	TCP
2024-10-03T08:40:55.079309+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49764	185.208.158.248	80	TCP
2024-10-03T08:40:55.913022+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49765	185.208.158.248	80	TCP
2024-10-03T08:40:56.727880+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49766	185.208.158.248	80	TCP
2024-10-03T08:40:57.530444+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49767	185.208.158.248	80	TCP
2024-10-03T08:40:58.436463+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49768	185.208.158.248	80	TCP
2024-10-03T08:40:59.085837+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49768	185.208.158.248	80	TCP
2024-10-03T08:40:59.908301+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49769	185.208.158.248	80	TCP
2024-10-03T08:41:00.252946+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49769	185.208.158.248	80	TCP
2024-10-03T08:41:01.124506+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49770	185.208.158.248	80	TCP
2024-10-03T08:41:02.734317+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49771	185.208.158.248	80	TCP
2024-10-03T08:41:03.541913+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49772	185.208.158.248	80	TCP
2024-10-03T08:41:04.363758+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49773	185.208.158.248	80	TCP
2024-10-03T08:41:05.280891+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49774	185.208.158.248	80	TCP
2024-10-03T08:41:07.092124+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49775	185.208.158.248	80	TCP
2024-10-03T08:41:07.959005+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49776	185.208.158.248	80	TCP
2024-10-03T08:41:09.318273+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49777	185.208.158.248	80	TCP
2024-10-03T08:41:10.152657+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49778	185.208.158.248	80	TCP
2024-10-03T08:41:10.994314+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49780	185.208.158.248	80	TCP
2024-10-03T08:41:11.825886+0200	2049467	1	A Network Trojan was detected	192.168.2.6	49781	185.208.158.248	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: zextervideocodec32_64.exe.6236.3.memstrmin

Malware Configuration Extractor: Socks5Systemz {"C2 list": ["ebirbqi.ua"]}

Multi AV Scanner detection for submitted file

Source: Xzm9fAfKhB.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0045D4EC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,	1_2_0045D4EC
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0045D5A0 ArcFourCrypt,	1_2_0045D5A0
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0045D5B8 ArcFourCrypt,	1_2_0045D5B8
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_10001000 ISCryptGetVersion,	1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_10001130 ArcFourCrypt,	1_2_10001130

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Unpacked PE file: 3.2.zextervideocodec32_64.exe.400000.0.unpack

Source: Xzm9fAfKhB.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zexter Video Codec_is1

Jump to behavior

Source:

Binary string: c:\zlib-dll\Release\isunzlib.pdb source: Xzm9fAfKhB.tmp, 00000001.00000003.2133608931.000000000214C000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2133698100.0000000003110000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000002.3386168549.0000000003103000.00000002.00000001.01000000.00000006.sdmp, _isdecmp.dll.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00452A4C FindFirstFileA,GetLastError,	1_2_00452A4C
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,	1_2_004751F8
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464048
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004644C4
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,	1_2_00462ABC
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00497A74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49730 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49764 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49723 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49749 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49725 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49772 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49734 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49740 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49742 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49741 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49726 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49731 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49771 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49720 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49745 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49762 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49765 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49743 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49727 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49719 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49752 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49770 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49758 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49722 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49748 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49763 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49744 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49777 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49728 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49778 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49757 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49773 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49732 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49746 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49729 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49737 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49760 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49766 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49721 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49733 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49755 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49751 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49735 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49736 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49775 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49756 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49776 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49781 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49738 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49761 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49750 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49759 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49753 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49767 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49754 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49774 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49739 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49768 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49769 -> 185.208.158.248:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.6:49780 -> 185.208.158.248:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ebirbqi.ua

Source: Joe Sandbox View

IP Address: 185.208.158.248 185.208.158.248

Source: Joe Sandbox View

ASN Name: SIMPLECARRER2IT SIMPLECARRER2IT

Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: unknown

UDP traffic detected without corresponding DNS query: 141.98.234.31

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Code function: 3_2_02C572AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,

3_2_02C572AB

Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1Host: ebirbqi.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: global traffic

DNS traffic detected: DNS query: ebirbqi.ua

Source: zextervideocodec32_64.exe, 00000003.00000002.3387608515.000000000352D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.1
Source: zextervideocodec32_64.exe, 00000003.00000002.3387901954.00000000035BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86e
Source: zextervideocodec32_64.exe, 00000003.00000002.3387998518.0000000003662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
Source: is-EHS2H.tmp.1.dr	String found in binary or memory: http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.2.8Content-Length:-/recv
Source: is-RPNLQ.tmp.1.dr	String found in binary or memory: http://freedesktop.org
Source: is-RPNLQ.tmp.1.dr	String found in binary or memory: http://freedesktop.orgtypenameexeccounttimestampparse_data-
Source: Xzm9fAfKhB.exe, 00000000.00000002.3383889372.0000000002158000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.exe, 00000000.00000003.2131920082.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2134098240.0000000002140000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000002.3383689424.000000000063D000.00000004.00000020.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2137278806.0000000000648000.00000004.00000020.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000002.3384737739.0000000002135000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2133698100.0000000003100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fsf.org/
Source: is-CP383.tmp.1.dr	String found in binary or memory: http://gcc.gnu.org/bugs.html):
Source: is-0CKRF.tmp.1.dr	String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: is-EHS2H.tmp.1.dr	String found in binary or memory: http://purl.oclc.org/dsdl/schematron
Source: is-EHS2H.tmp.1.dr	String found in binary or memory: http://purl.oclc.org/dsdl/schematronpathhttp://www.ascc.net/xml/schematron:node
Source: is-EHS2H.tmp.1.dr	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: is-EHS2H.tmp.1.dr	String found in binary or memory: http://relaxng.org/ns/structure/1.0definenameincludegrammarxmlRelaxNGParse:
Source: is-57AK2.tmp.1.dr	String found in binary or memory: http://tukaani.org/
Source: is-57AK2.tmp.1.dr	String found in binary or memory: http://tukaani.org/xz/
Source: is-EHS2H.tmp.1.dr	String found in binary or memory: http://www.ascc.net/xml/schematron
Source: is-4QN63.tmp.1.dr	String found in binary or memory: http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd
Source: is-RPNLQ.tmp.1.dr	String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
Source: is-RPNLQ.tmp.1.dr	String found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarksapplicationgroupapplicationsgroupsprivateiconh
Source: is-RPNLQ.tmp.1.dr	String found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
Source: Xzm9fAfKhB.exe, 00000000.00000002.3383889372.0000000002158000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.exe, 00000000.00000003.2131920082.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2134098240.0000000002140000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000002.3383689424.000000000063D000.00000004.00000020.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2137278806.0000000000648000.00000004.00000020.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000002.3384737739.0000000002135000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2133698100.0000000003100000.00000004.00001000.00020000.00000000.sdmp, is-CFKF2.tmp.1.dr, is-EV29A.tmp.1.dr, is-29IF1.tmp.1.dr	String found in binary or memory: http://www.gnu.org/licenses/
Source: Xzm9fAfKhB.tmp, Xzm9fAfKhB.tmp, 00000001.00000000.2132874520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-14BEA.tmp.1.dr, Xzm9fAfKhB.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: is-EHS2H.tmp.1.dr	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: is-EHS2H.tmp.1.dr	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: Xzm9fAfKhB.exe, 00000000.00000003.2132448635.0000000002164000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.exe, 00000000.00000003.2132303512.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, Xzm9fAfKhB.tmp, 00000001.00000000.2132874520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-14BEA.tmp.1.dr, Xzm9fAfKhB.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: Xzm9fAfKhB.exe, 00000000.00000003.2132448635.0000000002164000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.exe, 00000000.00000003.2132303512.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000000.2132874520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-14BEA.tmp.1.dr, Xzm9fAfKhB.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/psU

System Summary

PE file has a writeable .text section

Source: zextervideocodec32_64.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: EMAIL Safe Storage 10.2.46.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0042F530 NtdllDefWindowProc_A,	1_2_0042F530
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00423B94 NtdllDefWindowProc_A,	1_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004125E8 NtdllDefWindowProc_A,	1_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004789DC NtdllDefWindowProc_A,	1_2_004789DC
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004573CC PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_004573CC

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Code function: 1_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E944

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004555D0

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004804C6	1_2_004804C6
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00470950	1_2_00470950
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004352D8	1_2_004352D8
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00467710	1_2_00467710
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0043036C	1_2_0043036C
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004444D8	1_2_004444D8
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004345D4	1_2_004345D4
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00486604	1_2_00486604
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00444A80	1_2_00444A80
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00430EF8	1_2_00430EF8
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00445178	1_2_00445178
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0045F430	1_2_0045F430
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0045B4D8	1_2_0045B4D8
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00487564	1_2_00487564
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00445584	1_2_00445584
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00469770	1_2_00469770
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0048D8C4	1_2_0048D8C4
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004519A8	1_2_004519A8
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0043DD60	1_2_0043DD60
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_03101260	1_2_03101260
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_03101D20	1_2_03101D20
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_00406C47	3_2_00406C47
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_00401051	3_2_00401051
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_00401C26	3_2_00401C26
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C6E22D	3_2_02C6E22D
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C5F050	3_2_02C5F050
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C74EC9	3_2_02C74EC9
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C6E645	3_2_02C6E645
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C72E54	3_2_02C72E54
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C69F24	3_2_02C69F24
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C6ACDA	3_2_02C6ACDA
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C684E2	3_2_02C684E2
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C75440	3_2_02C75440
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C6DD39	3_2_02C6DD39
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C8C2AD	3_2_02C8C2AD
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_02C8B4E5	3_2_02C8B4E5

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp C1769524411682D5A204C8A40F983123C67EFEADB721160E42D7BBFE4531EB70
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_RegDLL.tmp 4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: String function: 02C68B80 appears 37 times
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: String function: 02C753D0 appears 138 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 00405964 appears 116 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 00408C14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 00406ACC appears 41 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 00403400 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 00445DE4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 004078FC appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 004344EC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 00403494 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 00457D58 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 00453330 appears 93 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 00457B4C appears 98 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 00403684 appears 221 times
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: String function: 004460B4 appears 59 times

Source: Xzm9fAfKhB.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Xzm9fAfKhB.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Xzm9fAfKhB.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Xzm9fAfKhB.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Xzm9fAfKhB.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-14BEA.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-14BEA.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-14BEA.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-14BEA.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: is-RPNLQ.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-57AK2.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-PMES9.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-4QN63.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-HQ8HN.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-EULG2.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-H1FDK.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-0CKRF.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-I4ASE.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-BT9F1.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-I5IDJ.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-87RHL.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-UVS9J.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-CFKF2.tmp.1.dr	Static PE information: Number of sections : 11 > 10

Source: Xzm9fAfKhB.exe, 00000000.00000003.2132448635.0000000002164000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Xzm9fAfKhB.exe
Source: Xzm9fAfKhB.exe, 00000000.00000003.2132303512.0000000002380000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Xzm9fAfKhB.exe

Source: Xzm9fAfKhB.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: _RegDLL.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/154@1/1

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Code function: 3_2_02C608A0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,

3_2_02C608A0

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004555D0

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Code function: 1_2_00455DF8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455DF8

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Code function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,

3_2_0040D3E8

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Code function: 1_2_0046E38C GetVersion,CoCreateInstance,

1_2_0046E38C

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe

Code function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409BEC

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Code function: 3_2_00402199 lstrcmpiW,StartServiceCtrlDispatcherA,lstrcmpiW,

3_2_00402199

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_00402199 lstrcmpiW,StartServiceCtrlDispatcherA,lstrcmpiW,	3_2_00402199
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_0040D487 StartServiceCtrlDispatcherA,	3_2_0040D487
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_00402170 StartServiceCtrlDispatcherA,	3_2_00402170
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: 3_2_00402170 StartServiceCtrlDispatcherA,	3_2_00402170

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

File created: C:\Users\user\AppData\Local\Zexter Video Codec

Jump to behavior

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe

File created: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Xzm9fAfKhB.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe

File read: C:\Users\user\Desktop\Xzm9fAfKhB.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Xzm9fAfKhB.exe "C:\Users\user\Desktop\Xzm9fAfKhB.exe"
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp "C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp" /SL5="$203DC,8066431,54272,C:\Users\user\Desktop\Xzm9fAfKhB.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process created: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe "C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe" -i
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp "C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp" /SL5="$203DC,8066431,54272,C:\Users\user\Desktop\Xzm9fAfKhB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process created: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe "C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe" -i	Jump to behavior

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zexter Video Codec_is1

Jump to behavior

Source: Xzm9fAfKhB.exe

Static file information: File size 8354805 > 1048576

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Unpacked PE file: 3.2.zextervideocodec32_64.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Unpacked PE file: 3.2.zextervideocodec32_64.exe.400000.0.unpack

Source: is-EULG2.tmp.1.dr

Static PE information: 0x6C5714D0 [Sat Aug 7 13:44:48 2027 UTC]

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Code function: 1_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004502AC

Source: is-NES8J.tmp.1.dr	Static PE information: section name: /4
Source: is-TL6PF.tmp.1.dr	Static PE information: section name: /4
Source: is-EULG2.tmp.1.dr	Static PE information: section name: /4
Source: is-199CA.tmp.1.dr	Static PE information: section name: /4
Source: is-HQ8HN.tmp.1.dr	Static PE information: section name: /4
Source: is-4QN63.tmp.1.dr	Static PE information: section name: /4
Source: is-5O6A6.tmp.1.dr	Static PE information: section name: /4
Source: is-RPNLQ.tmp.1.dr	Static PE information: section name: /4
Source: is-I7J48.tmp.1.dr	Static PE information: section name: /4
Source: is-87RHL.tmp.1.dr	Static PE information: section name: /4
Source: is-BT9F1.tmp.1.dr	Static PE information: section name: /4
Source: is-CFA55.tmp.1.dr	Static PE information: section name: /4
Source: is-8MT3T.tmp.1.dr	Static PE information: section name: /4
Source: is-OOHEU.tmp.1.dr	Static PE information: section name: /4
Source: is-I4ASE.tmp.1.dr	Static PE information: section name: /4
Source: is-CFKF2.tmp.1.dr	Static PE information: section name: /4
Source: is-7H0OE.tmp.1.dr	Static PE information: section name: /4
Source: is-FOK4M.tmp.1.dr	Static PE information: section name: /4
Source: is-57AK2.tmp.1.dr	Static PE information: section name: /4
Source: is-PMES9.tmp.1.dr	Static PE information: section name: /4
Source: is-H1FDK.tmp.1.dr	Static PE information: section name: /4
Source: is-I5IDJ.tmp.1.dr	Static PE information: section name: /4
Source: is-JCARN.tmp.1.dr	Static PE information: section name: /4
Source: is-UVS9J.tmp.1.dr	Static PE information: section name: /4
Source: is-79FJ7.tmp.1.dr	Static PE information: section name: /4
Source: is-SD4OG.tmp.1.dr	Static PE information: section name: /4
Source: is-TUTT5.tmp.1.dr	Static PE information: section name: /4
Source: is-R7G7O.tmp.1.dr	Static PE information: section name: /4
Source: is-KRQSU.tmp.1.dr	Static PE information: section name: /4
Source: is-CP383.tmp.1.dr	Static PE information: section name: /4
Source: is-3AK63.tmp.1.dr	Static PE information: section name: /4
Source: is-0CKRF.tmp.1.dr	Static PE information: section name: /4
Source: is-EHS2H.tmp.1.dr	Static PE information: section name: /4
Source: is-9NRJ4.tmp.1.dr	Static PE information: section name: /4

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_004065B8 push 004065F5h; ret	0_2_004065ED
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00409954 push 00409991h; ret	1_2_00409989
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0040A04F push ds; ret	1_2_0040A050
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0040A023 push ds; ret	1_2_0040A04D
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00460088 push ecx; mov dword ptr [esp], ecx	1_2_0046008C
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax	1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0049467C push ecx; mov dword ptr [esp], ecx	1_2_00494681
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004106E0 push ecx; mov dword ptr [esp], edx	1_2_004106E5
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00412938 push 0041299Bh; ret	1_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0040D038 push ecx; mov dword ptr [esp], edx	1_2_0040D03A
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004850AC push ecx; mov dword ptr [esp], ecx	1_2_004850B1
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00443450 push ecx; mov dword ptr [esp], ecx	1_2_00443454
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0040F598 push ecx; mov dword ptr [esp], edx	1_2_0040F59A
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00459634 push 00459678h; ret	1_2_00459670
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004517E4 push 00451817h; ret	1_2_0045180F
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004519A8 push ecx; mov dword ptr [esp], eax	1_2_004519AD
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00483A08 push 00483AF7h; ret	1_2_00483AEF
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00477A24 push ecx; mov dword ptr [esp], edx	1_2_00477A25

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		3_2_00401A4F
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		3_2_02C5F879

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-RPNLQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libpcre-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libpng16-16.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-I4ASE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-199CA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-8MT3T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-H1FDK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-I7J48.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-PMES9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-NES8J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-OOHEU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-CFKF2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-EHS2H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-87RHL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-0CKRF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libxml2-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-BT9F1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-CP383.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-I5IDJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\is-14BEA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-UVS9J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-FOK4M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-KRQSU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-9NRJ4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-EULG2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-79FJ7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-5O6A6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-TL6PF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libsigc-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-JCARN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libstdc++-6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-HQ8HN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-TUTT5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-4QN63.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-3AK63.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-SD4OG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-R7G7O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libtiff-5.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-57AK2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\librsvg-2-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-7H0OE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libpixman-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\is-CFA55.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangowin32-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	File created: C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	File created: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	File created: C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

File created: C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		3_2_00401A4F
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		3_2_02C5F879

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Code function: 3_2_00402199 lstrcmpiW,StartServiceCtrlDispatcherA,lstrcmpiW,

3_2_00402199

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,	1_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004241A4 IsIconic,SetActiveWindow,	1_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004833BC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_004833BC
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004175A8 IsIconic,GetCapture,	1_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00417CDE IsIconic,SetWindowPos,	1_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CE0

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Code function: 1_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F128

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,		3_2_00401B4B
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,		3_2_02C5F97D

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Window / User API: threadDelayed 688			Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	Window / User API: threadDelayed 9151			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-RPNLQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpcre-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpng16-16.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-I4ASE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-199CA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-8MT3T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-H1FDK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-PMES9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-I7J48.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-OOHEU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-NES8J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-EHS2H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-CFKF2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-87RHL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-0CKRF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libxml2-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-BT9F1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-CP383.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-I5IDJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-UVS9J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\is-14BEA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-FOK4M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-9NRJ4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-KRQSU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-EULG2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-79FJ7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-5O6A6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-TL6PF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libsigc-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-JCARN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libstdc++-6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-HQ8HN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-TUTT5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-4QN63.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-3AK63.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-SD4OG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libtiff-5.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-R7G7O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-57AK2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\librsvg-2-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-7H0OE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpixman-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\is-CFA55.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangowin32-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5694

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_3-18982

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 2128	Thread sleep count: 688 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 2128	Thread sleep time: -1376000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 5172	Thread sleep count: 83 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 5172	Thread sleep time: -4980000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 2128	Thread sleep count: 9151 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe TID: 2128	Thread sleep time: -18302000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00452A4C FindFirstFileA,GetLastError,	1_2_00452A4C
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,	1_2_004751F8
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464048
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004644C4
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,	1_2_00462ABC
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: 1_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00497A74

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe

Code function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B30

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: zextervideocodec32_64.exe, 00000003.00000002.3383403547.0000000000767000.00000004.00000020.00020000.00000000.sdmp, zextervideocodec32_64.exe, 00000003.00000002.3387608515.00000000034F5000.00000004.00000020.00020000.00000000.sdmp, zextervideocodec32_64.exe, 00000003.00000002.3383403547.000000000068E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	API call chain: ExitProcess graph end node	graph_0-6734
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	API call chain: ExitProcess graph end node	graph_3-18984
Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe	API call chain: ExitProcess graph end node	graph_3-21395

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Code function: 3_2_02C7019E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

3_2_02C7019E

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

3_2_02C7019E

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Code function: 1_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004502AC

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Code function: 3_2_02C5648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,

3_2_02C5648B

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Code function: 3_2_02C69508 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_02C69508

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Code function: 1_2_00478420 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00478420

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Code function: 1_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E0AC

Source: C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Code function: 3_2_02C6804D cpuid

3_2_02C6804D

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: GetLocaleInfoA,	0_2_004051FC
Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe	Code function: GetLocaleInfoA,	0_2_00405248
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: GetLocaleInfoA,	1_2_00408570
Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	Code function: GetLocaleInfoA,	1_2_004085BC

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Code function: 1_2_0045892C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_0045892C

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Code function: 1_2_00455588 GetUserNameA,

1_2_00455588

Source: C:\Users\user\Desktop\Xzm9fAfKhB.exe

Code function: 0_2_00405CE4 GetVersionExA,

0_2_00405CE4

Stealing of Sensitive Information

Yara detected Socks5Systemz

Source: Yara match	File source: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3386241526.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zextervideocodec32_64.exe PID: 6236, type: MEMORYSTR

Remote Access Functionality

Yara detected Socks5Systemz

Source: Yara match	File source: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3386241526.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zextervideocodec32_64.exe PID: 6236, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	5 Windows Service	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Bootkit	1 Access Token Manipulation	21 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	5 Windows Service	1 Timestomp	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 DLL Side-Loading	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Xzm9fAfKhB.exe	24%	ReversingLabs	Win32.Trojan.Munp

Dropped Files

Source	Detection	Scanner
C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_RegDLL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-0CKRF.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-199CA.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-3AK63.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-4QN63.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-57AK2.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-5O6A6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-79FJ7.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-7H0OE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-87RHL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-8MT3T.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-9NRJ4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-BT9F1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-CFA55.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-CFKF2.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-CP383.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-EHS2H.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-EULG2.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-FOK4M.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-H1FDK.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-HQ8HN.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-I4ASE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-I5IDJ.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-I7J48.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-JCARN.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-KRQSU.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-NES8J.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-OOHEU.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-PMES9.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-R7G7O.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-RPNLQ.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-SD4OG.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-TL6PF.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-TUTT5.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\is-UVS9J.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd	0%	Virustotal		Browse
http://www.freedesktop.org/standards/desktop-bookmarks	0%	Virustotal		Browse
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD	0%	Virustotal		Browse
http://gcc.gnu.org/bugs.html):	0%	Virustotal		Browse
http://purl.oclc.org/dsdl/schematron	0%	Virustotal		Browse
http://relaxng.org/ns/structure/1.0definenameincludegrammarxmlRelaxNGParse:	0%	Virustotal		Browse
http://www.ascc.net/xml/schematron	0%	Virustotal		Browse
http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd	0%	Virustotal		Browse
http://www.remobjects.com/psU	0%	Virustotal		Browse
http://tukaani.org/	0%	Virustotal		Browse
http://tukaani.org/xz/	0%	Virustotal		Browse
http://mingw-w64.sourceforge.net/X	0%	Virustotal		Browse
http://relaxng.org/ns/structure/1.0	0%	Virustotal		Browse
http://fsf.org/	0%	Virustotal		Browse
http://www.freedesktop.org/standards/desktop-bookmarksapplicationgroupapplicationsgroupsprivateiconh	0%	Virustotal		Browse
http://purl.oclc.org/dsdl/schematronpathhttp://www.ascc.net/xml/schematron:node	0%	Virustotal		Browse
http://185.208.1	0%	Virustotal		Browse
http://freedesktop.org	0%	Virustotal		Browse
http://www.gnu.org/licenses/	0%	Virustotal		Browse
http://www.freedesktop.org/standards/shared-mime-info	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ebirbqi.ua	185.208.158.248	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ebirbqi.ua/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d	true		unknown
ebirbqi.ua	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	Xzm9fAfKhB.tmp, Xzm9fAfKhB.tmp, 00000001.00000000.2132874520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-14BEA.tmp.1.dr, Xzm9fAfKhB.tmp.0.dr	false	URL Reputation: safe	unknown
http://freedesktop.orgtypenameexeccounttimestampparse_data-	is-RPNLQ.tmp.1.dr	false		unknown
http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.2.8Content-Length:-/recv	is-EHS2H.tmp.1.dr	false		unknown
http://www.freedesktop.org/standards/desktop-bookmarks	is-RPNLQ.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd	is-EHS2H.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD	is-EHS2H.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://purl.oclc.org/dsdl/schematron	is-EHS2H.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://gcc.gnu.org/bugs.html):	is-CP383.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://relaxng.org/ns/structure/1.0definenameincludegrammarxmlRelaxNGParse:	is-EHS2H.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://www.ascc.net/xml/schematron	is-EHS2H.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd	is-4QN63.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://tukaani.org/	is-57AK2.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://www.remobjects.com/psU	Xzm9fAfKhB.exe, 00000000.00000003.2132448635.0000000002164000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.exe, 00000000.00000003.2132303512.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000000.2132874520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-14BEA.tmp.1.dr, Xzm9fAfKhB.tmp.0.dr	false	0%, Virustotal, Browse	unknown
http://tukaani.org/xz/	is-57AK2.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://mingw-w64.sourceforge.net/X	is-0CKRF.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d	zextervideocodec32_64.exe, 00000003.00000002.3387998518.0000000003662000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.freedesktop.org/standards/shared-mime-info	is-RPNLQ.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://www.freedesktop.org/standards/desktop-bookmarksapplicationgroupapplicationsgroupsprivateiconh	is-RPNLQ.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://relaxng.org/ns/structure/1.0	is-EHS2H.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://www.remobjects.com/ps	Xzm9fAfKhB.exe, 00000000.00000003.2132448635.0000000002164000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.exe, 00000000.00000003.2132303512.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, Xzm9fAfKhB.tmp, 00000001.00000000.2132874520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-14BEA.tmp.1.dr, Xzm9fAfKhB.tmp.0.dr	false	URL Reputation: safe	unknown
http://fsf.org/	Xzm9fAfKhB.exe, 00000000.00000002.3383889372.0000000002158000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.exe, 00000000.00000003.2131920082.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2134098240.0000000002140000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000002.3383689424.000000000063D000.00000004.00000020.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2137278806.0000000000648000.00000004.00000020.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000002.3384737739.0000000002135000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2133698100.0000000003100000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86e	zextervideocodec32_64.exe, 00000003.00000002.3387901954.00000000035BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://freedesktop.org	is-RPNLQ.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://purl.oclc.org/dsdl/schematronpathhttp://www.ascc.net/xml/schematron:node	is-EHS2H.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://185.208.1	zextervideocodec32_64.exe, 00000003.00000002.3387608515.000000000352D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.gnu.org/licenses/	Xzm9fAfKhB.exe, 00000000.00000002.3383889372.0000000002158000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.exe, 00000000.00000003.2131920082.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2134098240.0000000002140000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000002.3383689424.000000000063D000.00000004.00000020.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2137278806.0000000000648000.00000004.00000020.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000002.3384737739.0000000002135000.00000004.00001000.00020000.00000000.sdmp, Xzm9fAfKhB.tmp, 00000001.00000003.2133698100.0000000003100000.00000004.00001000.00020000.00000000.sdmp, is-CFKF2.tmp.1.dr, is-EV29A.tmp.1.dr, is-29IF1.tmp.1.dr	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.208.158.248	ebirbqi.ua	Switzerland		34888	SIMPLECARRER2IT	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524740
Start date and time:	2024-10-03 08:38:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Xzm9fAfKhB.exe renamed because original name is a hash value
Original Sample Name:	d9cd9f798cb8012ce2834ac5e21ed371.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/154@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 169 Number of non-executed functions: 256
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:39:42	API Interceptor	393286x Sleep call for process: zextervideocodec32_64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.208.158.248	noode.exe	Get hash	malicious	Socks5Systemz	Browse
	noode.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz	Browse
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse
	SecuriteInfo.com.Trojan.Win32.Crypt.31282.17969.exe	Get hash	malicious	Socks5Systemz	Browse
	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot, Neoreklami, Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	boSodF2WmT.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SIMPLECARRER2IT	noode.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.248
	http://Asm.alcateia.org	Get hash	malicious	HTMLPhisher	Browse	185.208.158.9
	noode.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.248
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz	Browse	185.208.158.248
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	185.208.158.248
	SecuriteInfo.com.Trojan.Win32.Crypt.31282.17969.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.248
	SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe	Get hash	malicious	Socks5Systemz	Browse	185.196.8.214
	SecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exe	Get hash	malicious	Socks5Systemz	Browse	185.196.8.214
	SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.248
	http://www.jp-area.com/beppu/rank.cgi?mode=link&id=218&url=https://0oenqK.startprogrammingnowbook.com	Get hash	malicious	HTMLPhisher	Browse	185.208.158.9

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp	noode.exe	Get hash	malicious	Socks5Systemz	Browse
C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_RegDLL.tmp	noode.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	noode.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz	Browse
	AX3-GUI-45.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	HTMLPhisher	Browse
	AX3-GUI-45.exe	Get hash	malicious	Unknown	Browse
	qgdf1HLJno.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse

Created / dropped Files

C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exe

Download File

Process:	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2586624
Entropy (8bit):	7.0380268176847265
Encrypted:	false
SSDEEP:	49152:rW4JtS+gCIx4ICoueGCMZuQfgQxQ/jgYsoPZnvhuN4Q28g:JIx4I9XGCMEQIqJ3WnYN4Q28g
MD5:	96504F6C70AD91FDC3D32BF7C3FA2696
SHA1:	5253C2279D7AD28D355DF486FA54698AFF453FEF
SHA-256:	307B073C7B8C4FBDE223BD99B0A76D99ED8743DA27208CA59A437F9FE9F4C904
SHA-512:	E2D1BAF4E09DD36842DAFF59D0ACD4B4D94594309D01DA653095557850C47FE75E7844078C146D7489A1A3B8966A1E39C41A943285BC4E7CC9134D2A03E15C4A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....u.L..................".........(."......."...@...........................'......#(......................................."......p#..`............................................................................"..............................text.....".......".................`....rdata........".......".............@..@.data...8d....#..0....".............@....rsrc....b...p#..b....#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\em102it46.dat

Download File

Process:	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:PDtl:r
MD5:	80CC7E2E410B63D8EA5C5A746028D5E0
SHA1:	FFFF6F79D563E0C02950FFDF975C93FA2A1CE68D
SHA-256:	7A1FFFA01C0AEE4DB433C5F3AF51830ED8C90C61142506405CFD86436C43ECB7
SHA-512:	194F0FCDC3E09F7973D0A1F499ACBE4C7A22F079D70777CF7CF8AEBD89D505EE2FFB0DBAC872E5448F58D3522D9C5BAF83CED5F310E65F0F5D80456536168FC1
Malicious:	false
Reputation:	low
Preview:	H<.f....

C:\ProgramData\em102rc46.dat

Download File

Process:	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:s:s
MD5:	332CE785E973574A1C5FDAF3EEE3F083
SHA1:	229F404A02E78C1CA4D476853B2621D128ACABCC
SHA-256:	A2D398922901344D08180DC41D3E9D73D8C148C7F6E092835BBB28E02DBCF184
SHA-512:	A93498D992E81915075144CB304D2BDF040B336283F888252244882D8366DD3A6E2D9749077114DDA1A9AA1A7B69D33F7A781F003CCD12E599A6341014F29AAF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	a...

C:\ProgramData\em102resa.dat

Download File

Process:	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.9545817380615236
Encrypted:	false
SSDEEP:	3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
MD5:	98DDA7FC0B3E548B68DE836D333D1539
SHA1:	D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
SHA-256:	870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
SHA-512:	E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

C:\ProgramData\em102resb.dat

Download File

Process:	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	1.7095628900165245
Encrypted:	false
SSDEEP:	3:LDXdQSWBdMUE/:LLdQSGd
MD5:	4FFFD4D2A32CBF8FB78D521B4CC06680
SHA1:	3FA6EFA82F738740179A9388D8046619C7EBDF54
SHA-256:	EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
SHA-512:	130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	dad6f9fa0c8327344d1aa24f183c3767................................................................................................

C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

Download File

Process:	C:\Users\user\Desktop\Xzm9fAfKhB.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	709120
Entropy (8bit):	6.498750714093575
Encrypted:	false
SSDEEP:	12288:thu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyF:Pu7eEYCP8trP837szHUA60SLtcV3E9kT
MD5:	16C9D19AB32C18671706CEFEE19B6949
SHA1:	FCA23338CB77068E1937DF4E59D9C963C5548CF8
SHA-256:	C1769524411682D5A204C8A40F983123C67EFEADB721160E42D7BBFE4531EB70
SHA-512:	32B4B0B2FB56A299046EC26FB41569491E8B0CD2F8BEC9D57EC0D1AD1A7860EEC72044DAB2D5044CB452ED46E9F21513EAB2171BAFA9087AF6D2DE296455C64B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: noode.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................\|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_RegDLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.026670007889822
Encrypted:	false
SSDEEP:	48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
MD5:	0EE914C6F0BB93996C75941E1AD629C6
SHA1:	12E2CB05506EE3E82046C41510F39A258A5E5549
SHA-256:	4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
SHA-512:	A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: noode.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: noode.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: AX3-GUI-45.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: AX3-GUI-45.exe, Detection: malicious, Browse Filename: qgdf1HLJno.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.745960477552938
Encrypted:	false
SSDEEP:	384:BXvhMwoSitz/bjx7yxnbdn+EHvbsHoOODCg:BZ7FEAbd+EDsIO
MD5:	A813D18268AFFD4763DDE940246DC7E5
SHA1:	C7366E1FD925C17CC6068001BD38EAEF5B42852F
SHA-256:	E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
SHA-512:	B310ED4CD2E94381C00A6A370FCB7CC867EBE425D705B69CAAAAFFDAFBAB91F72D357966916053E72E68ECF712F2AF7585500C58BB53EC3E1D539179FCB45FB4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(............................@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-0CKRF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	65181
Entropy (8bit):	6.085572761520829
Encrypted:	false
SSDEEP:	768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
MD5:	98A49CC8AE2D608C6E377E95833C569B
SHA1:	BA001D8595AC846D9736A8A7D9161828615C135A
SHA-256:	213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
SHA-512:	C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-199CA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	268404
Entropy (8bit):	6.265024248848175
Encrypted:	false
SSDEEP:	3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
MD5:	C4C23388109D8A9CC2B87D984A1F09B8
SHA1:	74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
SHA-256:	11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
SHA-512:	060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............\|..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-3AK63.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	448557
Entropy (8bit):	6.353356595345232
Encrypted:	false
SSDEEP:	12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
MD5:	908111F583B7019D2ED3492435E5092D
SHA1:	8177C5E3B4D5CC1C65108E095D07E0389164DA76
SHA-256:	E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
SHA-512:	FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....\|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-4QN63.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1606715
Entropy (8bit):	6.432733703292802
Encrypted:	false
SSDEEP:	24576:qi0l5PSkLHq6M30RmWXD4cE/TpXy4CEJQwAj7/RyYijPIDEFIgX3zdHyqFMa:eSqVMkRm3dyEYiGEFTdfFN
MD5:	34007E6F8E18D371DBFF19A279B008C3
SHA1:	58B091382EB981587CA6FDFAFC314E458598B8BB
SHA-256:	44D65416BB7EC0F43CE91927B33002CDF3E56038562F83E602C19A20C48AEB7D
SHA-512:	37F6338CDEA6220CF9079F25F760A2C7A50A01BD6A98C01798D20203F5A56FA0F37CDD7E91AE246C1077A34EC4FA42E9D2305ADA7CA8945E6591C8E26164C906
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#.............*................xm......................................... .........................9........z......`.......................<....................................................................................text...D...........................`.P`.data...............................@.`..rdata..4...........................@.`@/4......D...........................@.0@.bss.....)............................`..edata..9........ ...\|..............@.0@.idata...z.......\|..................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...`...........................@.0..reloc..<............ ..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-57AK2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	171848
Entropy (8bit):	6.579154579239999
Encrypted:	false
SSDEEP:	3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
MD5:	236A679AB1B16E66625AFBA86A4669EB
SHA1:	73AE354886AB2609FFA83429E74D8D9F34BD45F2
SHA-256:	B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
SHA-512:	C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..\|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-5O6A6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1374336
Entropy (8bit):	6.544219940913283
Encrypted:	false
SSDEEP:	24576:XxPyiEuJLPKpBW3n41iniSpKMFH/ZNYTujQb/XseSGwUCowrnDKHYHdT8s5ly8:B5XlHdxV
MD5:	86CE128833ECB1AC52EBED17993C1B56
SHA1:	C7FC8F88E908591CAAA9F25B954B06E814576158
SHA-256:	B22B57B0B6E0FD531CEA32CED338B9D12DD018D09D0B95CD61F166F64253B355
SHA-512:	1B8BEE2668599E33EA6F8121F7584431211512D6BCC8B409EAE162FBD6B505B0F4D0CD984AC8439C515BE4058A20270954D5DCBC62D16E95ED31A8225500F839
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........L......#.....0...................@.....k.................................W........ .........................I....P...................................}...................................................i...............................text..../.......0..................`.P`.data...<....@.......4..............@.@..rdata..,....P.......6..............@.`@/4.......@...@...B...&..............@.0@.bss..................................`..edata..I............h..............@.0@.idata.......P......................@.0..CRT....,....p.......&..............@.0..tls.... ............(..............@.0..reloc...}.......~...*..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-79FJ7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	291245
Entropy (8bit):	6.234245376773595
Encrypted:	false
SSDEEP:	6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
MD5:	2D8A0BC588118AA2A63EED7BF6DFC8C5
SHA1:	7FB318DC21768CD62C0614D7AD773CCFB7D6C893
SHA-256:	707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
SHA-512:	A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-7H0OE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	509934
Entropy (8bit):	6.031080686301204
Encrypted:	false
SSDEEP:	6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
MD5:	02E6C6AB886700E6F184EEE43157C066
SHA1:	E796B7F7762BE9B90948EB80D0138C4598700ED9
SHA-256:	EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
SHA-512:	E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................\|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-87RHL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26562
Entropy (8bit):	5.606958768500933
Encrypted:	false
SSDEEP:	768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
MD5:	E9C7068B3A10C09A283259AA1B5D86F2
SHA1:	3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
SHA-256:	06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
SHA-512:	AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-8MT3T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	235032
Entropy (8bit):	6.398850087061798
Encrypted:	false
SSDEEP:	6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
MD5:	E1D0ACD1243F9E59491DC115F4E379A4
SHA1:	5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
SHA-256:	FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
SHA-512:	392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-9NRJ4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	98626
Entropy (8bit):	6.478068795827396
Encrypted:	false
SSDEEP:	1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
MD5:	70CA53E8B46464CCF956D157501D367A
SHA1:	AE0356FAE59D9C2042270E157EA0D311A831C86A
SHA-256:	4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
SHA-512:	CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-BT9F1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	337171
Entropy (8bit):	6.46334441651647
Encrypted:	false
SSDEEP:	3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
MD5:	51D62C9C7D56F2EF2F0F628B8FC249AD
SHA1:	33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
SHA-256:	FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
SHA-512:	03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-CFA55.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	174543
Entropy (8bit):	6.3532700320638025
Encrypted:	false
SSDEEP:	3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
MD5:	65D8CB2733295758E5328E5A3E1AFF15
SHA1:	F2378928BB9CCFBA566EC574E501F6A82A833143
SHA-256:	E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
SHA-512:	BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-CFKF2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	140752
Entropy (8bit):	6.52778891175594
Encrypted:	false
SSDEEP:	3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
MD5:	A8F646EB087F06F5AEBC2539EB14C14D
SHA1:	4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
SHA-256:	A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
SHA-512:	93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-CP383.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1545467
Entropy (8bit):	6.529166035051036
Encrypted:	false
SSDEEP:	24576:f//9GOTyiDI4jm0B4/W1EkWLENaQemY0y6hW98cA4q0v4gf:bVYKW983e
MD5:	7F95672216191C57573D049090125ECE
SHA1:	2C9D065A1F28F511149C3DBA219B52004FC51262
SHA-256:	689991853CD09032089F52656C9508061F105FAB5727F250890563EBF2656A45
SHA-512:	FD0DD095D5D76400FA97F5B3231D16570284EC31D04E2E9F3278F378233F316D4D91715898BF8A1B81803E613B97B2FE5FB064A9BD6BAE6E08AD3CAB9613E61B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........~.........#.....4...z...............P.....o.......................................... ..........................p...0...............................p...t...........................`.......................2..D............................text....2.......4..................`.P`.data........P... ...8..............@.`..rdata..@....p.......X..............@.`@/4.......M...P...N...2..............@.0@.bss..................................`..edata...p.......r..................@.0@.idata.......0......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc...t...p...v..................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-EHS2H.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1400653
Entropy (8bit):	6.518664771362139
Encrypted:	false
SSDEEP:	24576:YiyJaaUAnPfI1FO1Fm5wukMdBdfrwQAZV2R6yeYH3bhlN77S+N+RoQ8J0fnuVj1z:4aaUAnI1FOFmZkM1i2n5h++N+RCJ0fA1
MD5:	1124DD59526216DF405C4514949CCB54
SHA1:	8226C42D98B9D3C0E83A11167963D5B38B6DDD45
SHA-256:	A9016D40755966C547464430D3509CC3CFE9DD5D8B53F8B694B42B0D7141E5D6
SHA-512:	F007FBD3FBA7E3966FAF5F9D857ADB6607A99CD6FD8FFDF14E858BE6C4A0B155A9197BAA9D1DF0A28AF733F78F8A7346357EBAA7D3BD0C3934BF815CC51A930D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........F.........#.........B... .................q.................................y........ ...................... .......................................0..t............................ ......................8................................text...............................`.P`.data...............................@.`..rdata..Tn... ...p..................@.`@/4.......c.......d...x..............@.0@.bss..................................`..edata....... ......................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..reloc..t....0......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-EULG2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	814068
Entropy (8bit):	6.5113626552096
Encrypted:	false
SSDEEP:	24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
MD5:	5B1EB4B36F189362DEF93BF3E37354CC
SHA1:	8C0A4992A6180D0256ABF669DFDEE228F03300BA
SHA-256:	D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
SHA-512:	BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-FOK4M.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	397808
Entropy (8bit):	6.396146399966879
Encrypted:	false
SSDEEP:	6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
MD5:	E0747D2E573E0A05A7421C5D9B9D63CC
SHA1:	C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
SHA-256:	25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
SHA-512:	201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-H1FDK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	64724
Entropy (8bit):	5.910307743399971
Encrypted:	false
SSDEEP:	768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
MD5:	7AF455ADEA234DEA33B2A65B715BF683
SHA1:	F9311CB03DCF50657D160D89C66998B9BB1F40BA
SHA-256:	6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
SHA-512:	B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-HQ8HN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	181527
Entropy (8bit):	6.362061002967905
Encrypted:	false
SSDEEP:	3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
MD5:	0D0D311D1837705B1EAFBC5A85A695BD
SHA1:	AA7FA3EB181CC5E5B0AA240892156A1646B45184
SHA-256:	AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
SHA-512:	14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............\|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-I4ASE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1055417
Entropy (8bit):	7.312780382733874
Encrypted:	false
SSDEEP:	24576:1MWKOBAUZLYRwPKDOlbbT0pGavkg3NyeuQ6l9fHOfc4Z:1dBAUZLYWiDOSpGaXBuQQ9u3Z
MD5:	F721A6B0A1590D55EADEAE81B8F629AA
SHA1:	8C6ED37D1D926D949161FF5F3B5682A4068644CE
SHA-256:	8E2EB9BAC3F5C37D91BFF7F04420DDA55CD369178C73ADF11E6C4DD7E597260F
SHA-512:	2FFDB23615EE72DF600248D6B9DED0E25DAE12D8424557EC07589F34601C00421CF32A748CB564AFCED99B419805E43BF4D6D05EC33D581DBD03F9AF853005E8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........F......#.............................. f.......................................... ...................... ..u....0..<....`.......................p...............................P......................T1...............................text...D...........................`.P`.data...T...........................@.0..rdata..............................@.`@/4......TI.......J..................@.0@.bss..................................`..edata..u.... ......................@.0@.idata..<....0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-I5IDJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92019
Entropy (8bit):	5.974787373427489
Encrypted:	false
SSDEEP:	1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
MD5:	CC7DAD980DD04E0387795741D809CBF7
SHA1:	A49178A17B1C72AD71558606647F5011E0AA444B
SHA-256:	0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
SHA-512:	E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0..............................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.........................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-I7J48.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	463112
Entropy (8bit):	6.363613724826455
Encrypted:	false
SSDEEP:	12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
MD5:	D9D9C79E35945FCA3F9D9A49378226E7
SHA1:	4544A47D5B9765E5717273AAFF62724DF643F8F6
SHA-256:	18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
SHA-512:	B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-JCARN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	165739
Entropy (8bit):	6.062324507479428
Encrypted:	false
SSDEEP:	3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
MD5:	E2F18B37BC3D02CDE2E5C15D93E38418
SHA1:	1A6C58F4A50269D3DB8C86D94B508A1919841279
SHA-256:	7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
SHA-512:	61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-K6A8A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	data
Category:	dropped
Size (bytes):	2586624
Entropy (8bit):	7.038026594065054
Encrypted:	false
SSDEEP:	49152:uW4JtS+gCIx4ICoueGCMZuQfgQxQ/jgYsoPZnvhuN4Q28g:qIx4I9XGCMEQIqJ3WnYN4Q28g
MD5:	9AC8705D486EC4A8049ADFEFFCF04C33
SHA1:	AECFC52BB5CFE135A10AE8E5B3EDA096BF2ED2D2
SHA-256:	EA2F8A32E61BF48DD43BA926C69C3680AA7624AAAD4D95190541AF2CB78F392B
SHA-512:	1782856848F1F34878E9B54C394D982AE5E103126633F7A722408082794A7223F5EBBBFCCD8864546E19F9C7AB2BB6AC32F2E65DCCEF49DF79D44D344EA3E71C
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....u.L..................".........(."......."...@...........................'......#(......................................."......p#..`............................................................................"..............................text.....".......".................`....rdata........".......".............@..@.data...8d....#..0....".............@....rsrc....b...p#..b....#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-KRQSU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	30994
Entropy (8bit):	5.666281517516177
Encrypted:	false
SSDEEP:	768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
MD5:	3C033F35FE26BC711C4D68EB7CF0066D
SHA1:	83F1AED76E6F847F6831A1A1C00FEDC50F909B81
SHA-256:	9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
SHA-512:	7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#........l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.........................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-NES8J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	693931
Entropy (8bit):	6.506667977069754
Encrypted:	false
SSDEEP:	12288:pgl0XdgCyZfZ1hTDy4ArwyP5Lt6fEWmOxU:u0NnYZ1hTDy44PTZOG
MD5:	37CE2C67DDCEE507833B9AE784AE515D
SHA1:	711B2AAE989D439CC816D198A3A4A7CDD6A070A3
SHA-256:	7A2BD595F34A25C13E94E4C2CDFB1758E9DE60FA7D497F5755BBBF906E82A0D7
SHA-512:	B8FB5A3D2CA99A661FB35F1C560A283070D28A1E438BF124632D4AD8D2EBE0869DF73F1AB8149DEA1FCA66B0285D28028DF83EF36AB27431ED26176EC2A21FCE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....Z...\|...............p.....b.......................................... ......................p../.......(...............................t....................................................................................text....Y.......Z..................`.P`.data...L....p.......^..............@.0..rdata..x............`..............@.`@/4...........0...0..................@.0@.bss.........`........................`..edata../....p.......2..............@.0@.idata..(............J..............@.0..CRT....,............\..............@.0..tls.... ............^..............@.0..reloc..t........ ...`..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-OOHEU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	441975
Entropy (8bit):	6.372283713065844
Encrypted:	false
SSDEEP:	6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
MD5:	6CD78C8ADD1CFC7CBB85E2B971FCC764
SHA1:	5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
SHA-256:	C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
SHA-512:	EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................\|....................................................................................text...4\|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..\|...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-PMES9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	259014
Entropy (8bit):	6.075222655669795
Encrypted:	false
SSDEEP:	3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
MD5:	B4FDE05A19346072C713BE2926AF8961
SHA1:	102562DE2240042B654C464F1F22290676CB6E0F
SHA-256:	513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
SHA-512:	9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-R7G7O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	248694
Entropy (8bit):	6.346971642353424
Encrypted:	false
SSDEEP:	6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
MD5:	39A15291B9A87AEE42FBC46EC1FE35D6
SHA1:	AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
SHA-256:	7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
SHA-512:	FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................\|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-RPNLQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1222671
Entropy (8bit):	6.4094687832944235
Encrypted:	false
SSDEEP:	24576:s2AYizbUVBV0u6ydQXUPIUJL0VGQRhORRajBbGN2JtYI3+0EIZy3fh6UtvR6YO3c:1AYhVBBsUJLORhH0QtYI33EuS1tvzO3c
MD5:	C12734BD4C4C33E788FE7FC6C1E47522
SHA1:	F474AB91C5DECD6D533C1DA016DC65800DBC5E9D
SHA-256:	9FFCD35CAEC4B199481620C82B8E2AFA9AE26F557D9A99C18B7DC23E61D59131
SHA-512:	AE948D3AB723144D2546F8B3401805CCFFBB312A14AD8D314685FB1EA85E74955F1372FEFE177571F518F51E66783B9813F876B93B35ED6E27C0E4743D59FA80
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........z..(......#.........v....................\|h.................................*........ ......................`.......0.......p...........................k...........................`......................d5..`............................text...X...........................`.P`.data...\|...........................@.`..rdata...N.......P..................@.`@/4......l....0......................@.0@.bss.... ....@........................`..edata.......`......................@.0@.idata.......0... ..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc........p......................@.0..reloc...k.......l..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-SD4OG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	706136
Entropy (8bit):	6.517672165992715
Encrypted:	false
SSDEEP:	12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
MD5:	3A8A13F0215CDA541EC58F7C80ED4782
SHA1:	085C3D5F62227319446DD61082919F6BE1EFD162
SHA-256:	A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
SHA-512:	4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-TL6PF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	121524
Entropy (8bit):	6.347995296737745
Encrypted:	false
SSDEEP:	1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
MD5:	6CE25FB0302F133CC244889C360A6541
SHA1:	352892DD270135AF5A79322C3B08F46298B6E79C
SHA-256:	E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
SHA-512:	3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-TUTT5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	248781
Entropy (8bit):	6.474165596279956
Encrypted:	false
SSDEEP:	3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
MD5:	C4002F9E4234DFB5DBE64C8D2C9C2F09
SHA1:	5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
SHA-256:	F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
SHA-512:	4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\is-UVS9J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	101544
Entropy (8bit):	6.237382830377451
Encrypted:	false
SSDEEP:	1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
MD5:	E13FCD8FB16E483E4DE47A036687D904
SHA1:	A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
SHA-256:	0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
SHA-512:	38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......... ...,..................@.0@.bss.........P........................`..edata..-....`.....................@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libfreetype-6.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	693931
Entropy (8bit):	6.506667977069754
Encrypted:	false
SSDEEP:	12288:pgl0XdgCyZfZ1hTDy4ArwyP5Lt6fEWmOxU:u0NnYZ1hTDy44PTZOG
MD5:	37CE2C67DDCEE507833B9AE784AE515D
SHA1:	711B2AAE989D439CC816D198A3A4A7CDD6A070A3
SHA-256:	7A2BD595F34A25C13E94E4C2CDFB1758E9DE60FA7D497F5755BBBF906E82A0D7
SHA-512:	B8FB5A3D2CA99A661FB35F1C560A283070D28A1E438BF124632D4AD8D2EBE0869DF73F1AB8149DEA1FCA66B0285D28028DF83EF36AB27431ED26176EC2A21FCE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....Z...\|...............p.....b.......................................... ......................p../.......(...............................t....................................................................................text....Y.......Z..................`.P`.data...L....p.......^..............@.0..rdata..x............`..............@.`@/4...........0...0..................@.0@.bss.........`........................`..edata../....p.......2..............@.0@.idata..(............J..............@.0..CRT....,............\..............@.0..tls.... ............^..............@.0..reloc..t........ ...`..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libgcc_s_dw2-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	121524
Entropy (8bit):	6.347995296737745
Encrypted:	false
SSDEEP:	1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
MD5:	6CE25FB0302F133CC244889C360A6541
SHA1:	352892DD270135AF5A79322C3B08F46298B6E79C
SHA-256:	E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
SHA-512:	3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libgdk-win32-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	814068
Entropy (8bit):	6.5113626552096
Encrypted:	false
SSDEEP:	24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
MD5:	5B1EB4B36F189362DEF93BF3E37354CC
SHA1:	8C0A4992A6180D0256ABF669DFDEE228F03300BA
SHA-256:	D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
SHA-512:	BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libgdk_pixbuf-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	181527
Entropy (8bit):	6.362061002967905
Encrypted:	false
SSDEEP:	3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
MD5:	0D0D311D1837705B1EAFBC5A85A695BD
SHA1:	AA7FA3EB181CC5E5B0AA240892156A1646B45184
SHA-256:	AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
SHA-512:	14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............\|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libgdkmm-2.4-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	268404
Entropy (8bit):	6.265024248848175
Encrypted:	false
SSDEEP:	3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
MD5:	C4C23388109D8A9CC2B87D984A1F09B8
SHA1:	74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
SHA-256:	11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
SHA-512:	060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............\|..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libgio-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1606715
Entropy (8bit):	6.432733703292802
Encrypted:	false
SSDEEP:	24576:qi0l5PSkLHq6M30RmWXD4cE/TpXy4CEJQwAj7/RyYijPIDEFIgX3zdHyqFMa:eSqVMkRm3dyEYiGEFTdfFN
MD5:	34007E6F8E18D371DBFF19A279B008C3
SHA1:	58B091382EB981587CA6FDFAFC314E458598B8BB
SHA-256:	44D65416BB7EC0F43CE91927B33002CDF3E56038562F83E602C19A20C48AEB7D
SHA-512:	37F6338CDEA6220CF9079F25F760A2C7A50A01BD6A98C01798D20203F5A56FA0F37CDD7E91AE246C1077A34EC4FA42E9D2305ADA7CA8945E6591C8E26164C906
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#.............*................xm......................................... .........................9........z......`.......................<....................................................................................text...D...........................`.P`.data...............................@.`..rdata..4...........................@.`@/4......D...........................@.0@.bss.....)............................`..edata..9........ ...\|..............@.0@.idata...z.......\|..................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...`...........................@.0..reloc..<............ ..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libgiomm-2.4-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1374336
Entropy (8bit):	6.544219940913283
Encrypted:	false
SSDEEP:	24576:XxPyiEuJLPKpBW3n41iniSpKMFH/ZNYTujQb/XseSGwUCowrnDKHYHdT8s5ly8:B5XlHdxV
MD5:	86CE128833ECB1AC52EBED17993C1B56
SHA1:	C7FC8F88E908591CAAA9F25B954B06E814576158
SHA-256:	B22B57B0B6E0FD531CEA32CED338B9D12DD018D09D0B95CD61F166F64253B355
SHA-512:	1B8BEE2668599E33EA6F8121F7584431211512D6BCC8B409EAE162FBD6B505B0F4D0CD984AC8439C515BE4058A20270954D5DCBC62D16E95ED31A8225500F839
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........L......#.....0...................@.....k.................................W........ .........................I....P...................................}...................................................i...............................text..../.......0..................`.P`.data...<....@.......4..............@.@..rdata..,....P.......6..............@.`@/4.......@...@...B...&..............@.0@.bss..................................`..edata..I............h..............@.0@.idata.......P......................@.0..CRT....,....p.......&..............@.0..tls.... ............(..............@.0..reloc...}.......~...*..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libglib-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1222671
Entropy (8bit):	6.4094687832944235
Encrypted:	false
SSDEEP:	24576:s2AYizbUVBV0u6ydQXUPIUJL0VGQRhORRajBbGN2JtYI3+0EIZy3fh6UtvR6YO3c:1AYhVBBsUJLORhH0QtYI33EuS1tvzO3c
MD5:	C12734BD4C4C33E788FE7FC6C1E47522
SHA1:	F474AB91C5DECD6D533C1DA016DC65800DBC5E9D
SHA-256:	9FFCD35CAEC4B199481620C82B8E2AFA9AE26F557D9A99C18B7DC23E61D59131
SHA-512:	AE948D3AB723144D2546F8B3401805CCFFBB312A14AD8D314685FB1EA85E74955F1372FEFE177571F518F51E66783B9813F876B93B35ED6E27C0E4743D59FA80
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........z..(......#.........v....................\|h.................................*........ ......................`.......0.......p...........................k...........................`......................d5..`............................text...X...........................`.P`.data...\|...........................@.`..rdata...N.......P..................@.`@/4......l....0......................@.0@.bss.... ....@........................`..edata.......`......................@.0@.idata.......0... ..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc........p......................@.0..reloc...k.......l..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libglibmm-2.4-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	463112
Entropy (8bit):	6.363613724826455
Encrypted:	false
SSDEEP:	12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
MD5:	D9D9C79E35945FCA3F9D9A49378226E7
SHA1:	4544A47D5B9765E5717273AAFF62724DF643F8F6
SHA-256:	18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
SHA-512:	B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libgmodule-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26562
Entropy (8bit):	5.606958768500933
Encrypted:	false
SSDEEP:	768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
MD5:	E9C7068B3A10C09A283259AA1B5D86F2
SHA1:	3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
SHA-256:	06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
SHA-512:	AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libgobject-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	337171
Entropy (8bit):	6.46334441651647
Encrypted:	false
SSDEEP:	3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
MD5:	51D62C9C7D56F2EF2F0F628B8FC249AD
SHA1:	33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
SHA-256:	FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
SHA-512:	03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libgomp-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	174543
Entropy (8bit):	6.3532700320638025
Encrypted:	false
SSDEEP:	3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
MD5:	65D8CB2733295758E5328E5A3E1AFF15
SHA1:	F2378928BB9CCFBA566EC574E501F6A82A833143
SHA-256:	E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
SHA-512:	BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libgraphite2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	235032
Entropy (8bit):	6.398850087061798
Encrypted:	false
SSDEEP:	6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
MD5:	E1D0ACD1243F9E59491DC115F4E379A4
SHA1:	5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
SHA-256:	FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
SHA-512:	392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libharfbuzz-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	441975
Entropy (8bit):	6.372283713065844
Encrypted:	false
SSDEEP:	6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
MD5:	6CD78C8ADD1CFC7CBB85E2B971FCC764
SHA1:	5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
SHA-256:	C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
SHA-512:	EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................\|....................................................................................text...4\|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..\|...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libiconv-2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1055417
Entropy (8bit):	7.312780382733874
Encrypted:	false
SSDEEP:	24576:1MWKOBAUZLYRwPKDOlbbT0pGavkg3NyeuQ6l9fHOfc4Z:1dBAUZLYWiDOSpGaXBuQQ9u3Z
MD5:	F721A6B0A1590D55EADEAE81B8F629AA
SHA1:	8C6ED37D1D926D949161FF5F3B5682A4068644CE
SHA-256:	8E2EB9BAC3F5C37D91BFF7F04420DDA55CD369178C73ADF11E6C4DD7E597260F
SHA-512:	2FFDB23615EE72DF600248D6B9DED0E25DAE12D8424557EC07589F34601C00421CF32A748CB564AFCED99B419805E43BF4D6D05EC33D581DBD03F9AF853005E8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........F......#.............................. f.......................................... ...................... ..u....0..<....`.......................p...............................P......................T1...............................text...D...........................`.P`.data...T...........................@.0..rdata..............................@.`@/4......TI.......J..................@.0@.bss..................................`..edata..u.... ......................@.0@.idata..<....0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libintl-8.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	140752
Entropy (8bit):	6.52778891175594
Encrypted:	false
SSDEEP:	3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
MD5:	A8F646EB087F06F5AEBC2539EB14C14D
SHA1:	4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
SHA-256:	A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
SHA-512:	93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libjpeg-8.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	509934
Entropy (8bit):	6.031080686301204
Encrypted:	false
SSDEEP:	6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
MD5:	02E6C6AB886700E6F184EEE43157C066
SHA1:	E796B7F7762BE9B90948EB80D0138C4598700ED9
SHA-256:	EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
SHA-512:	E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................\|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\liblcms2-2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	397808
Entropy (8bit):	6.396146399966879
Encrypted:	false
SSDEEP:	6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
MD5:	E0747D2E573E0A05A7421C5D9B9D63CC
SHA1:	C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
SHA-256:	25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
SHA-512:	201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\liblzma-5.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	171848
Entropy (8bit):	6.579154579239999
Encrypted:	false
SSDEEP:	3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
MD5:	236A679AB1B16E66625AFBA86A4669EB
SHA1:	73AE354886AB2609FFA83429E74D8D9F34BD45F2
SHA-256:	B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
SHA-512:	C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..\|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libpango-1.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	259014
Entropy (8bit):	6.075222655669795
Encrypted:	false
SSDEEP:	3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
MD5:	B4FDE05A19346072C713BE2926AF8961
SHA1:	102562DE2240042B654C464F1F22290676CB6E0F
SHA-256:	513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
SHA-512:	9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libpangocairo-1.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	64724
Entropy (8bit):	5.910307743399971
Encrypted:	false
SSDEEP:	768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
MD5:	7AF455ADEA234DEA33B2A65B715BF683
SHA1:	F9311CB03DCF50657D160D89C66998B9BB1F40BA
SHA-256:	6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
SHA-512:	B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libpangoft2-1.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92019
Entropy (8bit):	5.974787373427489
Encrypted:	false
SSDEEP:	1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
MD5:	CC7DAD980DD04E0387795741D809CBF7
SHA1:	A49178A17B1C72AD71558606647F5011E0AA444B
SHA-256:	0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
SHA-512:	E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0..............................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.........................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libpangomm-1.4-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	165739
Entropy (8bit):	6.062324507479428
Encrypted:	false
SSDEEP:	3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
MD5:	E2F18B37BC3D02CDE2E5C15D93E38418
SHA1:	1A6C58F4A50269D3DB8C86D94B508A1919841279
SHA-256:	7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
SHA-512:	61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libpangowin32-1.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	101544
Entropy (8bit):	6.237382830377451
Encrypted:	false
SSDEEP:	1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
MD5:	E13FCD8FB16E483E4DE47A036687D904
SHA1:	A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
SHA-256:	0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
SHA-512:	38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......... ...,..................@.0@.bss.........P........................`..edata..-....`.....................@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libpcre-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	291245
Entropy (8bit):	6.234245376773595
Encrypted:	false
SSDEEP:	6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
MD5:	2D8A0BC588118AA2A63EED7BF6DFC8C5
SHA1:	7FB318DC21768CD62C0614D7AD773CCFB7D6C893
SHA-256:	707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
SHA-512:	A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libpixman-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	706136
Entropy (8bit):	6.517672165992715
Encrypted:	false
SSDEEP:	12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
MD5:	3A8A13F0215CDA541EC58F7C80ED4782
SHA1:	085C3D5F62227319446DD61082919F6BE1EFD162
SHA-256:	A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
SHA-512:	4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libpng16-16.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	248781
Entropy (8bit):	6.474165596279956
Encrypted:	false
SSDEEP:	3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
MD5:	C4002F9E4234DFB5DBE64C8D2C9C2F09
SHA1:	5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
SHA-256:	F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
SHA-512:	4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\librsvg-2-2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	248694
Entropy (8bit):	6.346971642353424
Encrypted:	false
SSDEEP:	6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
MD5:	39A15291B9A87AEE42FBC46EC1FE35D6
SHA1:	AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
SHA-256:	7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
SHA-512:	FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................\|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libsigc-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	30994
Entropy (8bit):	5.666281517516177
Encrypted:	false
SSDEEP:	768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
MD5:	3C033F35FE26BC711C4D68EB7CF0066D
SHA1:	83F1AED76E6F847F6831A1A1C00FEDC50F909B81
SHA-256:	9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
SHA-512:	7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#........l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.........................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libstdc++-6.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1545467
Entropy (8bit):	6.529166035051036
Encrypted:	false
SSDEEP:	24576:f//9GOTyiDI4jm0B4/W1EkWLENaQemY0y6hW98cA4q0v4gf:bVYKW983e
MD5:	7F95672216191C57573D049090125ECE
SHA1:	2C9D065A1F28F511149C3DBA219B52004FC51262
SHA-256:	689991853CD09032089F52656C9508061F105FAB5727F250890563EBF2656A45
SHA-512:	FD0DD095D5D76400FA97F5B3231D16570284EC31D04E2E9F3278F378233F316D4D91715898BF8A1B81803E613B97B2FE5FB064A9BD6BAE6E08AD3CAB9613E61B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........~.........#.....4...z...............P.....o.......................................... ..........................p...0...............................p...t...........................`.......................2..D............................text....2.......4..................`.P`.data........P... ...8..............@.`..rdata..@....p.......X..............@.`@/4.......M...P...N...2..............@.0@.bss..................................`..edata...p.......r..................@.0@.idata.......0......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc...t...p...v..................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libtiff-5.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	448557
Entropy (8bit):	6.353356595345232
Encrypted:	false
SSDEEP:	12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
MD5:	908111F583B7019D2ED3492435E5092D
SHA1:	8177C5E3B4D5CC1C65108E095D07E0389164DA76
SHA-256:	E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
SHA-512:	FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....\|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libwinpthread-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	65181
Entropy (8bit):	6.085572761520829
Encrypted:	false
SSDEEP:	768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
MD5:	98A49CC8AE2D608C6E377E95833C569B
SHA1:	BA001D8595AC846D9736A8A7D9161828615C135A
SHA-256:	213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
SHA-512:	C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\libxml2-2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1400653
Entropy (8bit):	6.518664771362139
Encrypted:	false
SSDEEP:	24576:YiyJaaUAnPfI1FO1Fm5wukMdBdfrwQAZV2R6yeYH3bhlN77S+N+RoQ8J0fnuVj1z:4aaUAnI1FOFmZkM1i2n5h++N+RCJ0fA1
MD5:	1124DD59526216DF405C4514949CCB54
SHA1:	8226C42D98B9D3C0E83A11167963D5B38B6DDD45
SHA-256:	A9016D40755966C547464430D3509CC3CFE9DD5D8B53F8B694B42B0D7141E5D6
SHA-512:	F007FBD3FBA7E3966FAF5F9D857ADB6607A99CD6FD8FFDF14E858BE6C4A0B155A9197BAA9D1DF0A28AF733F78F8A7346357EBAA7D3BD0C3934BF815CC51A930D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........F.........#.........B... .................q.................................y........ ...................... .......................................0..t............................ ......................8................................text...............................`.P`.data...............................@.`..rdata..Tn... ...p..................@.`@/4.......c.......d...x..............@.0@.bss..................................`..edata....... ......................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..reloc..t....0......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\themes\92-Beige-DarkCyan.gtkrc (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	15008
Entropy (8bit):	5.270725103917416
Encrypted:	false
SSDEEP:	384:s/nUm8NYR/fiYM8LXMX5fs38Ffx4Bf0lAT9:s/nX00iY/XMXq38FxK0lq
MD5:	64C98ACB587FC7E4F237EADAA84A591D
SHA1:	B92C3D066E67FC230D56E690AE1CC21222265614
SHA-256:	6E8E87C68E7EFC5CCF8694042649DE3EBA01EC1DF242C22D40842AF885D1118D
SHA-512:	B1542C0E3D5411CD8581150FE2D81401C93686E7E43754E8BF8F78ACBEB73A041F7D9223D7DC8072C132273D1DB6EB9917ED04F9F2123C1CEA4062E59CD7F129
Malicious:	false
Preview:	#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_base_color:#ffffff\nrt_fg_color:#101010\nrt_tooltip_fg_color:#000000\nrt_selected_bg_color:#7C99AD\nrt_selected_fg_color:#ffffff\nrt_text_c

C:\Users\user\AppData\Local\Zexter Video Codec\themes\92-Beige-DarkCyan.iconset (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.136842188131013
Encrypted:	false
SSDEEP:	3:1ERdiAqRv:1+MJ
MD5:	2BE834BAC02BFB69E1E7935A62A6B8FB
SHA1:	6165F776AC298A991E497B03E9C2E1797ED81029
SHA-256:	113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
SHA-512:	1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
Malicious:	false
Preview:	[General].Iconset=Light.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-down-ins.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	137
Entropy (8bit):	5.815385299502723
Encrypted:	false
SSDEEP:	3:yionv//thPljll8ll1Aqg/ml90lvGdw1CwHTQ5NsEZxKG2mpFbp:6v/lhPW/WqgmnBdw1CFNsgdLbp
MD5:	CE4C02BA4708A1AAB1572A9148A94B95
SHA1:	E90673F72B063A610E7383EB7DAFEC7F0BD35549
SHA-256:	6E1332235BB51B2E29B244E5056A6C82015A5FEE79DB2D3A553CD6610DC3BB04
SHA-512:	902C214744235E7CA936D2B16215B63500BA980C00ADFD3773D2EFA65E12FD3EB34DA4F430024BEF2F781F762E4A938778C6AD71AF6D86A9CF02EF53C41E1233
Malicious:	false
Preview:	.PNG........IHDR.............V.W...PIDAT8.c`......._..........H1.....8....XIu.... ..b+..E.$..(.+. ...( .4.e@x4..G..6.g...t....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-down-pre.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	194
Entropy (8bit):	6.478660891705174
Encrypted:	false
SSDEEP:	3:yionv//thPljll8llsAX81qfqjovwzflWfXbbt8i7ltydfIxDGKuQ11iEUvWK2K1:6v/lhPW/sAXkDokflSoAkpOKtMyldp
MD5:	88BC92E4CF3288BA93CAF398950874CD
SHA1:	F1B9F2C5EF5566C5BD983B5E1B3DFF17B06412F2
SHA-256:	258CD3545E4E4A9CF32F31FBD1AAF19869118F2B32CC8AB88C421D53F0A63D6D
SHA-512:	07DCA4BFC9581F425D7BAAB13E91668A0F1C832518DE7E98C0F872A305401B68B1D1C6DB56A81CF55A81E6587DD57168AF49D5676FF24C07A0BF6B0E04FADF8B
Malicious:	false
Preview:	.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/......Q.@..9........{..b..U.0...&HQ.5........P.W ..;......hc.3.....B.}........h..f...;l^.. *.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-down.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	206
Entropy (8bit):	6.093633689706192
Encrypted:	false
SSDEEP:	6:6v/lhPW/f19VNtTlMGBSCghX2AGBIcDV6fr66Vp:6v/7uTVPTChXCBN8fJ7
MD5:	2DE4E41A0E31A4C0FBB2D7FC3CBC31CE
SHA1:	0704F540352C579647D28E5E7821D7CA7FCC6613
SHA-256:	FBEC4D0BC6ED3DFDADADFFD10EB9F04058DFC11E7248DD73814E7806E58795FA
SHA-512:	FE60C53AADB80B6B922E17B822710A6820046C07D2742694BDF3019DD025EB8ABF4366849BE789E122B7053D5B7798D1CEAA9A296C3D007C557D95CDFFEC0115
Malicious:	false
Preview:	.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME...../..v[....[IDAT8.c...?.50.A.o.../...hx)T.h.x....Lp..yI..?..D2......F.@....P1..[.....C ..4...m4A.G..F...=.G....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-left-ins.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	135
Entropy (8bit):	5.763983120472731
Encrypted:	false
SSDEEP:	3:yionv//thPljll8llrAkxHgbcMktxY8ot4sUnG/QgjOD4l+dCKolkup:6v/lhPW/skd/Mktx+thzjOciCflkup
MD5:	C1E1CF920D57580A1337044D9244B41A
SHA1:	2713C8C06B08A204042B3BF92F6E31724E965E81
SHA-256:	8BFC445B29843719FB37F265F727D4E9E6F6C0814F054A6330C096022CA7995A
SHA-512:	87968296D3A160EEA1C3CE012300DF21CC59ED57ADE023B76E9238AE37F491B3F585663CBC4ED86A99EA1E3C4E392672E0CEA803A2641C9F05651E62240FF358
Malicious:	false
Preview:	.PNG........IHDR.............V.W...NIDAT8.c`...........(5D.....\......S.8....1D..#...QjP...A.....E^C3P....z.......g...7.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-left-pre.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	195
Entropy (8bit):	6.589496150082679
Encrypted:	false
SSDEEP:	6:6v/lhPW/YkNWoInpCU14phhk1NWMUGHgyU/Hljp:6v/7uSoIpCUKhhDMUrymlN
MD5:	3043F969482A1E805E6DCA44A6072881
SHA1:	B5764E5B1B26D11737D9307A70E14403E7063A4A
SHA-256:	10A3799ABAABF93F03FD86A23FAFC6C68EB04B5BFB86497F04505DF151E1177E
SHA-512:	3BEAAFABEEF07E3BB7E95DC6C761157C38B9B2B2BDB99C517C073AA137950BFE010C0BDFCC29E955B6A46D6BEED4AB4D8D8D1EF580DD23E8A6B0F471E1FEB4D3
Malicious:	false
Preview:	.PNG........IHDR.............V.W....IDAT8...?..A...E....F'.j....DG.U$......N.\|.....r..k.d.,..$4P.)R..}.F/.h..)...Q..c.%.x.t.8.jc....).......,p.3.i.k...v.F...X....^...Y.........q.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-left.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	208
Entropy (8bit):	6.056729441397141
Encrypted:	false
SSDEEP:	6:6v/lhPW/f19VINtlMv+YftbtCETdkth4EN0QIVp:6v/7uTVI6T6T4ENRI7
MD5:	3DBA17AB50E1923EB74BF395677EFA06
SHA1:	F293297F4127A788E07D365FD4AB5EB19C7383C4
SHA-256:	33BF303743432947AF7E5E4FCFE7A7FF453FCFBFA6ABDC24671071B7C205DA84
SHA-512:	618BFD415108DDB51B7A1D1003D5E40A417BA36F612EF6FBB5F627AE7FDA2388AC2F08F8BFBE5CF6F172DF26737773C902A85FD98DEFB0CD7DE94B3CFF77FAD6
Malicious:	false
Preview:	.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME.....,"E......]IDAT8.c...?.50.AT5....(1......../%. 9.._.!`19........,....5..a) ^..?)5....@\|...F.<.F.h^..A..p..:.j=....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-right-ins.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	128
Entropy (8bit):	5.703022629772099
Encrypted:	false
SSDEEP:	3:yionv//thPljll8lli9uOgkBCvMibqMGuNGpNfodyfsiB1p:6v/lhPW/i9uOliMibqMGjAMkijp
MD5:	65B820457098F3E41079DB7B024D6911
SHA1:	2D35F7523C5F990B810FAD7E2DFB1E2E46DC94AB
SHA-256:	3CA8816EC6B9E88958D7D33C3532CE57223E5B3454D2AE329A54C964590034D6
SHA-512:	52FAD1A53340EE03016E6B63364EE937BBA8C1FCBC8F491011D707102100F9BFCBB62C5D0B9D3F40BF8CEF48E4E9566271019CBA10CD57C4ACFA05EF210DF4E8
Malicious:	false
Preview:	.PNG........IHDR.............V.W...GIDAT8.c`......./...0.....X.R...8..S.....(5..#.X...EQjP.4.x(.l...........g.*Uug....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-right-pre.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	193
Entropy (8bit):	6.5470203907323725
Encrypted:	false
SSDEEP:	6:6v/lhPW/bkgGNdjs2jOTS3Bs077TxUVxhlup:6v/7uzkgG7Y2yU14lc
MD5:	8FB0652E37E5375EFBFFC85E000333EC
SHA1:	98DF46702AB67C5CFF30922BE409209CEA30A6B5
SHA-256:	90939B8E3B4A568724143D056A93CD7B5528D4841A9D11EA0A4B11C2A35A4E03
SHA-512:	EF67A9624AA003A77724CB90F456A84181746E585003B31AE714A2870FFB3B2F069382CD7DA464FDE6BA68C37A94AE42CCB58B80E0608D41EEF30A81260D5545
Malicious:	false
Preview:	.PNG........IHDR.............V.W....IDAT8...1..Q...Aa....R......h..~,...:..)..S.7.f...r.I...Rd...a...X..g<p...tBE3\.....&.rU^.WW..!FTF{.5....8b.>.1.o.,.O..........i......IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-right.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	139
Entropy (8bit):	5.9354638900987355
Encrypted:	false
SSDEEP:	3:yionv//thPljll8ll3MOgkBQTBlH/DVgPMWwnPUmLdeAkhBsF6c4V1B/0wXjp:6v/lhPW/cOlcBZKkWoLdePhq2BcwTp
MD5:	5EACCA1FC3A11F7E844B3809D9CAA537
SHA1:	86AF79F715B3921E507068558EEDC94EAAC677C6
SHA-256:	57A9751B8A85FD13C3F0C9EEAEB3B905D7B8802779EFE407E13444468A15C396
SHA-512:	997D5D631FF90CAD01D1613A347BF2C1F9D0723AF29A5CA52494BBEF97F4FA50040B171FD371F8A8FD31DDA2933EF0752ABC3056625A9DB747BC5E24EB6F7CD2
Malicious:	false
Preview:	.PNG........IHDR.............V.W...RIDAT8.c`...........0h)._..` f....!...P9J....@.F.....;%....@,EI`..b.J....<..a.....z...l....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-up-ins.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	137
Entropy (8bit):	5.807754777184353
Encrypted:	false
SSDEEP:	3:yionv//thPljll8ll1AqgRtKq2HYGHgsG0z4H1iBLq/bp:6v/lhPW/WqoKq24Psjz4H1ipep
MD5:	BDBB9972D9B7265AD10EDB04A9C2E239
SHA1:	DCA1CBFD90B5C644E37DBB6748227E3EB472E0C8
SHA-256:	866FC4117FC8B133D84C9AC96D13A37E99EBF626CEA47F0E8B059B6641FFC7C3
SHA-512:	BA6059567C6EF35161BD3A82D320EFB8E16435EBFF9CA851AC724A58F45726621BCF7F380DBD2A94A29B5DD919FEF294E7440B31F2B2FACC42AAA1968144020D
Malicious:	false
Preview:	.PNG........IHDR.............V.W...PIDAT8.c`......._..)5...#.8..y(1.....\C..8.. .[.TCX.8........b...+@.Abr.Ip....2g..F.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-up-pre.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	194
Entropy (8bit):	6.427379953657502
Encrypted:	false
SSDEEP:	3:yionv//thPljll8llsAX81qfqjovwzflWfXb0oWhAm2KWmLk8vJvP+u3tKDhqcl1:6v/lhPW/sAXkDokflFoWhAmtW6k8ZUbp
MD5:	830FC62D759022DDBC665F1D8D2E9164
SHA1:	84FBC1F8F3770905AB365D465C956756FD62E15A
SHA-256:	0D0ED367EC6578DD5DB6A3637A5CFBF6DDEEB1CE12953C1DF09FEF8F8BD897AA
SHA-512:	B948DD792BC0379AFF1DB46A8ABFE5803005E3C5C1BC2F2ED382C4D5AF09DCCA7C8F98400B46B0C5CC1100CD492A8D1C3B90A5BE9B2C5EA2537DAA7911B3458C
Malicious:	false
Preview:	.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/.~..h..f\|.u.....4.]hc.3.....@.!v...!.+PC.k\=.A.....1...0A.*H.c..{.Qb..RTA..r.(P.@......;'...!\.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\arrow-up.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	220
Entropy (8bit):	6.113077361175645
Encrypted:	false
SSDEEP:	6:6v/lhPW/CsQH4dKcDA/M+DPu45sC93H5Adp:6v/7ugHcZuK45sC9X5C
MD5:	0BAE3C12DFF85642E6DEBB90607258F0
SHA1:	2B369328373C449DA154FEEC4235464F53AC27FB
SHA-256:	8C41C0E27B9D85D5D49BF44F00A096FA18680E85077FFEB9EC65750F1EFAAA41
SHA-512:	D86BAF78EECDFB96E857D1749BB0580F6230F83D54D4F4843F94EC6335AF339D22560A00907E897A9BB427200305B83056B4649321ABE0C719DDCA89549639D0
Malicious:	false
Preview:	.PNG........IHDR.............V.W....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.www.inkscape.org..<....YIDAT8.c...?.50.A.. w v.. ) .....X.\...x...X..#. . ..d./ .&. . >...\.b^R..ze1.^...M... .1.....d.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-insensitive.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1128
Entropy (8bit):	7.702657785044095
Encrypted:	false
SSDEEP:	24:CiUpjur3mHiYuZssTwiTn7JgcOc/irhx1F613aC8BLZ2cL/Fsc:CNpj23hnNTwiTPzU6t+JI4FN
MD5:	3F6A543B6C75ACB2EE000A3BAC7B9A59
SHA1:	A53275A9B4F65393301A1C787B67E87FFDA8234F
SHA-256:	3FACB849498CFA7CCF96BF7B02C5792C0DC49374EA7DDDC8F78E7ED53A96C72B
SHA-512:	E9E98AFF394E4ADAEA3C79096BD8DC865EF539D67F9E3030FEB7F4FACAACC1278606592228A19733AF99128966530CEC1363E9C6DAB6C555DFC0D8C7ADB51517
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sBIT....\|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDATX..=SSA...........G.+F....._daaaa..a.....JG+.... 7$ww=g.ws..A/n.~.>.y..+}......=%.Tn..m.....Bt.....N..'.....Z.'...........;....[.d.....~.....9.LI.?>W.........It.W..m...N...x&8>.....}....0....JoU,<X$G..m..YV......w..L...:n..FJ..!......."\|.......C)........)p...)F....[.Y..{..jZ@.j.s5xv.W.\|L&./.^.u..y....h..4.9b..}$..q.....".....{..p..9;.s..Ul.............^......p...d+.....u......tZ...B......d..Z.....q.....'H.}...g.jl....~a.ng...m.....mw.fp..0....,MI..v.W..7........l8.s.K...2....qB..\|:.\[...Nje...!..L.^q.Z.hU..f..35s..hK.......R.. $.-..:.......7.p6N.i.+.....u..!RE8..L&...U+...s.x.O.s.H.U.R.E..>z.".......".DB.....9F.......h...W.<.....KH.DO.}.q.!.....<8.c.J...A.\|.S..}.d..ZL......vh....<.#.......W.i..+...m....p...8..Q......A....7..f.sk=.....!.%........tY...S.+...t.Y....1.97P!..a....a.%.m9[~I..K.?..tB.v.L&.[-.h...D...J'......Q'4...59.......I.s..

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-normal.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1497
Entropy (8bit):	7.768741056434717
Encrypted:	false
SSDEEP:	24:oqyoicsCo1Rd3ASFaaFX4FumgLpc8ut4qzrtpei0AF3BkNmhqCTEOU:eznTR3YaFXSiut4qzrtbeNmhTE7
MD5:	F860FF3693F12371577E33808AEA17E7
SHA1:	10EA223E855685506460EA8C3FC9427350CAA1E2
SHA-256:	B8714DCC43D031A602E3C560EBB1A07C1A892AB84E34F06EDEB03B59FEB09BD6
SHA-512:	6A6307796F6C6D5FEC3A0B4168DCAD5E6B15008D5CC247B562ECE25E25B87AC40ECB372038E351674FC75AB391CA23E47B8DF1966D2849DC3DD0ADFFB7CEFA62
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......3...g...YIDATX.W.N#G.....`.......6........O&.b..@......`....J..)... ...0..Q9..n..1.LK.vwW.s...q. .x.........~.+..V...C..G.....4M.,.B.^.......w...1.}.33X....z....[,Jfgg........Z.R..'..y18@I.G....www...u...6ZYY.....w,KH.....nnn.....[\\lLLL.7..z.........$.,.3~\|\|.......uOOO....{.........................1..XkC...}...D..M`.n..i...6dvNNN.9::........j..[.sssMX.I.........~B...`.(.....n...^]]].......hdd.k...o...rp~Lp.....%..G.$.k4..\...6..:..._X...Yz.J0..`ll..).R..(...s... C.....J...0+x6m.A.J...X90L..~.i.H.(..?....`....\|...}.......d.>...v G.9....AR.W...H.$......H.i..?.)..<..)..Ps..<.x.....Lc........E}.,.30.5.p.........$.Et....\E...!.Fd...e......5.Q..s.I.B&.}..#.@..j.E..d..... `h=QL[..2..+..M.C.....k.s.i.I.3..+r.Z]..G\|$..U..!..........{..J...T....K..e..1.e..[EY+.(T.T.<!.Y.I.....O.x.\L..^c..FHH.S........F4.f.{....S.....*eS. ..4....(...eQ.\|9.....!.R4.X.+.<..!..

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-normal.xcf (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	GIMP XCF image data, version 0, 32 x 32, RGB Color
Category:	dropped
Size (bytes):	3977
Entropy (8bit):	5.413488066014333
Encrypted:	false
SSDEEP:	48:7dsNCv/C/CVGhkFTKfyeeocjI4Dc8oPjZ/narUX0Zwnc1ZHHdOkdsFVpAa:KcQ2Gyejc0QoPjZ/KKgwniLsFVpAa
MD5:	1339E8669A986ACB3CCA794EF7E67ABB
SHA1:	8295D74B144481F86B928D0C9A2F16AE0FF86F7C
SHA-256:	4D58C67A4095BE33201E16C2545B28DEF1CBA2D7690F0540877866CFC7ACE230
SHA-512:	DF9AA421947EF90713D0F9D2648803DDC975DB7FDB67F2941A9CA7FD489C9734081FE085C4ED4335C798A05CE2028D84C22A4948C558FDCBE86593CFEBB6A796
Malicious:	false
Preview:	gimp xcf file.... ... .....................B...B..............?........................gimp-image-grid.........(style solid).(fgcolor (color-rgba 0.000000 0.000000 0.000000 1.000000)).(bgcolor (color-rgba 1.000000 1.000000 1.000000 1.000000)).(xspacing 10.000000).(yspacing 10.000000).(spacing-unit inches).(xoffset 0.000000).(yoffset 0.000000).(offset-unit inches).................................5........... ... ........New Layer............l...............................................................................................................+...........=....... ... .......Q....... ... ...a....E...............................#.E...............................#.E...............................#.E.............Vq.q.W......?......?......8......8..............#.... ... ........New Layer#4............................................................................................................................'................... ... ............... ... .........................."..

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-prelight.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1442
Entropy (8bit):	7.754161124979248
Encrypted:	false
SSDEEP:	24:oq2vym+9kVWUOASjz39hd/9uinkxIyJubx/98nDDJFPyvfCDFHTCyFm+3wTf8f4C:aqmzV9az39z9hnkx+2DfyyD9TFAAwTfI
MD5:	46934D3CAA685BB0DBECF20BAB8BC317
SHA1:	DD61BF668D265AB3FBB61C6CB6CF25778632154F
SHA-256:	AC57AEA1D66661974EA2922733661B27D26D3C2026321E77A2A9ACE1CDAD558C
SHA-512:	BCB6D969F8823196652B4093988719C9F51940890D212A0E743CC887C46BE3DAD00D95B47970F1E682F3A40E7F7216EBFD4B37626AE130FE57F7F3CEBA718AE4
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME.......E......"IDATX.W.J,W....jm.A#>AA$......$....q.....!B.Cp..;1...p((...G=.Vyve...+...>g._....q.:..[__/.--}.....w..X.s.....y...N.EN..9.<koo.smmmknn...!V.b...OOO.8==....'........;;;}...}z..+.....vrr.8<<.........._....755.............r___G[[[+....%...z...\..T..........Ay\|\|\|.........O...w......._utt..D{.T.......1H..;.Z-......u......?........../....J.......m....F.=D+Rk.....PP.\..Ix....Z?;;.666...}.xW.{Z\...j....c...X1..zm.>..y.!...S.u.....o=l..n..._.f....R..P.."....~..8......l..`.;..B\........>.A...7..Q.F..4..=./.B.......eY..$.<..r....A..$.$.<.`)...........C...V...8.......^.....D&........r..Y9.K.....8..C.....%.UV;*....^. .d.....v. ......M...X..M..zR...H...'..'._dS..P.?..2S.MT......4$.....k...=.eL.^z.....X.e+.......$..sG..qm.vB.........&..I..+W....Q. ,.M.+.-Q..$<!.t....wi.rA..(v.kW..&.p.-.(..u+.j.5.y.....2N.....0....kW....5.y).J1. xDW...x..0.d.p.\S.d......l

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\button-pressed.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1555
Entropy (8bit):	7.796645823149652
Encrypted:	false
SSDEEP:	24:oqhLS0rCCBSazjoXK2RM1EpIuNF0piVLDlZLfciK3ZCHBJW:VjrBBSFXKP1ECuNF0piVLDlBfcOM
MD5:	486390A2CE5B4CC1393AC254780A7C7C
SHA1:	4305181EC1910A666A47C3715D27F5CA6991D688
SHA-256:	AB3BDFDFEED5743FD4AF47B0BA6AAAD914661DCE381A6FF8C8C8994363F83909
SHA-512:	F3F6051BA679C6F329A18E97F12CB6FFD9ED18D0F054C79ED9F2FB5D23F0484A12DB0FD16CD47F52B67E3D617F9BE728F9BECC850CF6A61FE9B74ED9701C2DD1
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......._......IDATX.WIO#G...+;.Ab.@B$...&...Q.?B2Q...[...8!qEB......bK.....-!..n.....Twlfh.T.v....Wv...eY....Fjiii.R.\|..T.:..a.^.@.U..Z.......~yyy{vv....F.."..NOO....z...S...+....:;;. ...n</....^.xx(_^^.'''.;...mmm..eU...^....011....L.......-...y..Vx...}...A.X,...>..............G....\|?99.077.=00.......L&..h._..e....U(X....w......w...?.;;;_.........`_www[___..@.Q.H.O..........$,..r.J.P.nnnV..{....{j.....B@..c....!....u....C"P4M.b...V`./<,\|.....t...J6...^...H.3..-m.}..5..)..A.0.-Z...!.......V....".:....Y#..z$^H.......eZBa.[..cXd....P:f.P>.&...<....-..v.2..J..DV-.5..i.Z....F....u E.%9...(p....Bpu...Gp...P.]..j.....U..i.!b.....I.NF(.5.."-.n..L.V.1I.L.D>-..2..Ih..}.J.`;.......u....0..=CC+.P.B.i.@...+..............:1....N%.M<e.....XAUF.W.Sb.M.f.=G....be..j.'/...$#.H..0...^......=..u.1s7.B......L....RO.L.Y....T....].Lk..SS..I(..4.Lwf.3N...=...sF#..o9.MK."`...

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-06FLQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1497
Entropy (8bit):	7.768741056434717
Encrypted:	false
SSDEEP:	24:oqyoicsCo1Rd3ASFaaFX4FumgLpc8ut4qzrtpei0AF3BkNmhqCTEOU:eznTR3YaFXSiut4qzrtbeNmhTE7
MD5:	F860FF3693F12371577E33808AEA17E7
SHA1:	10EA223E855685506460EA8C3FC9427350CAA1E2
SHA-256:	B8714DCC43D031A602E3C560EBB1A07C1A892AB84E34F06EDEB03B59FEB09BD6
SHA-512:	6A6307796F6C6D5FEC3A0B4168DCAD5E6B15008D5CC247B562ECE25E25B87AC40ECB372038E351674FC75AB391CA23E47B8DF1966D2849DC3DD0ADFFB7CEFA62
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......3...g...YIDATX.W.N#G.....`.......6........O&.b..@......`....J..)... ...0..Q9..n..1.LK.vwW.s...q. .x.........~.+..V...C..G.....4M.,.B.^.......w...1.}.33X....z....[,Jfgg........Z.R..'..y18@I.G....www...u...6ZYY.....w,KH.....nnn.....[\\lLLL.7..z.........$.,.3~\|\|.......uOOO....{.........................1..XkC...}...D..M`.n..i...6dvNNN.9::........j..[.sssMX.I.........~B...`.(.....n...^]]].......hdd.k...o...rp~Lp.....%..G.$.k4..\...6..:..._X...Yz.J0..`ll..).R..(...s... C.....J...0+x6m.A.J...X90L..~.i.H.(..?....`....\|...}.......d.>...v G.9....AR.W...H.$......H.i..?.)..<..)..Ps..<.x.....Lc........E}.,.30.5.p.........$.Et....\E...!.Fd...e......5.Q..s.I.B&.}..#.@..j.E..d..... `h=QL[..2..+..M.C.....k.s.i.I.3..+r.Z]..G\|$..U..!..........{..J...T....K..e..1.e..[EY+.(T.T.<!.Y.I.....O.x.\L..^c..FHH.S........F4.f.{....S.....*eS. ..4....(...eQ.\|9.....!.R4.X.+.<..!..

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-25TRP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	641
Entropy (8bit):	7.486329990930914
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2HcHsH4mHgE42VgbsrP2eByHKk8a4JLk++8/1:HS2H8mJJfIsrueEq9z+c1
MD5:	752E6CDC2C92BF4D22712F33A380CB93
SHA1:	07AC399AD6C9F72E97A1304E1324AD20EB42F633
SHA-256:	3294FEF8285A13B09967D3F631F8CE52C2AACC9A07604CD51B70811BED2ED40E
SHA-512:	9DC2C06873DE889B4E26AA9890B93E6FD37D04C73801865861FA46B95C2011BFEEC94B24F37BBD376C43E993FEE58D1C4A221AF09346CE70AF86BF379BD6CCA2
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....1........IDAT(Se..k.A...\|.n...n..T.%&X.....7.d_.".KA..T.J..Z.....w6D..e.e...=s......S.x..G=.....8"S.%/..\|.....8=y1....:2...;.B.(K.I.W.kE../>....Z.r?.7<.~....t...BJ.i../.J...tz......7..!.J,.#..v.....9.Y....YQ....?\|t............$V.@....zp...;!TU.M.......A..N.....[..V...&....9..xm..d2F.m..`.N......&.A.DU.....y.4....4....`8...\.\|...y...q.]^~......@qXor....Ik..3.@+..V~d...........?7k...`.C.P.ZT.....QF-E.{..+5!... .6..(.i..`m....._~..e.n5.`0..z...Qr..IF.E..9Y.....r~ [.@8...k2...$....n...orX'#..&........X....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-2MKD2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	551
Entropy (8bit):	7.319024742694981
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2HRd4HSOKRcIzpsbPjUdb4pndLBaXeeFUDqtCmN09:HS2HRd4HSBR5KbPognzadIb
MD5:	731657BF68ECC98F0DBE29095CCB88F7
SHA1:	D3B49C3AD148EC96F3088371715121D32EAA7843
SHA-256:	F95DA774191F393BA0EB0436B4CB22920C5F880ED51010177E6E9189CD36C44A
SHA-512:	DE50FC25578922C8BE31D869B70FC0559C965022D6BCCF71DE6CDD541B424DB67E1AE1032AEBAAE03DF66744A27344194AA7994C9CE84317D1AFD1B437D9AA9E
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....04.k......IDAT(..R.j.Q..}..z.%..h.N..OHa../H.......E>!HPl...F\.+n\|f..1.......9.v.\H.Z.&4M{.u.~>.....w>w....v...)"......"...a....@....n.kN.`.kH.)...K..kY..N.0..#1...=..s...A..0M.\..p%.R...B.b..f3..........."......q.J&...).N.b....5A......@.&.c.!.d...\.Z.Vu..V....."H.xO$...e.HX,....WL.`....F....."...m[bu..c.B.u.u..PB..4...U..._.]......KY...l<..a .v..>.s.4.....f#..}0..d2.8A#......*wUU...}.N.?.p=rlJ+.J.n..J#.......7\.R.-.c%....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-3IJTR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	593
Entropy (8bit):	7.479894563773081
Encrypted:	false
SSDEEP:	12:6v/7iIniUpZzmH9D1hP79P2J2ySk9BvSpqKu6kZPdiaXVygV271:giUpMDrD8J2ySMKIZoaX0gV271
MD5:	FFCCEC64441F01C7AA82069BB8D5E9D9
SHA1:	45C02522F48129065104E1C9B4E6AC63434CC7D9
SHA-256:	B8CEB44936275B37F8D08F71F01F223866CEE50E53182D529A3768514A8C7662
SHA-512:	E8709643F6C4CBAA98F7BF870028664324DE673141F1B9FCE995A03D011C4374817846DCED739B4A3DD37D315A474F739ACAD2933ACA63C67FA0216356B8E608
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sBIT....\|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(S...n.@.....I#;.X.j...U,.@..x..Bx.D.....W..X.b...Fqq.Z.RED8...3.s..l.H..9s...9:D)..1^..m.........R.@...>.T...97..=..z[......i7Q...<...F...di.......R....]...F...u.......W?41&v.6.O^.%ko.\".qH...)....$..z.NJe{o....."..N....NgXDK.q...y...d.@.q].20.9..(...A.a\|~.J..F..$..2pn....$....N.4.2AR.R......`"3..R_....[v.h.n.!...5Gq..QA.Y,.....\..Z....{.h.............mU-..T.Ga..0.{....w..$K..?oN....4KW......'^py.fd..L.)L.z.O(..D..)H...............<....o....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-5NKCR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	137
Entropy (8bit):	5.815385299502723
Encrypted:	false
SSDEEP:	3:yionv//thPljll8ll1Aqg/ml90lvGdw1CwHTQ5NsEZxKG2mpFbp:6v/lhPW/WqgmnBdw1CFNsgdLbp
MD5:	CE4C02BA4708A1AAB1572A9148A94B95
SHA1:	E90673F72B063A610E7383EB7DAFEC7F0BD35549
SHA-256:	6E1332235BB51B2E29B244E5056A6C82015A5FEE79DB2D3A553CD6610DC3BB04
SHA-512:	902C214744235E7CA936D2B16215B63500BA980C00ADFD3773D2EFA65E12FD3EB34DA4F430024BEF2F781F762E4A938778C6AD71AF6D86A9CF02EF53C41E1233
Malicious:	false
Preview:	.PNG........IHDR.............V.W...PIDAT8.c`......._..........H1.....8....XIu.... ..b+..E.$..(.+. ...( .4.e@x4..G..6.g...t....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-5T3NH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	636
Entropy (8bit):	7.494209461570772
Encrypted:	false
SSDEEP:	12:6v/7iIniUpZVqDOd94j4MwzQPlA89rnKP69TRUQMGsVc7:giUpXjBMwMPlA8BZ9OFGsk
MD5:	FE02DBEC1FBF19F2525E9C87E3023C7C
SHA1:	9503756A6C1CB9C742B6852F121B6D8092C06578
SHA-256:	CB2D73D2E08790836F67F4CCA213206C071F2215D65CCD0099EDD2B9A912B578
SHA-512:	CADBCCEE87CB20DA46E1E4BD9241EE22CF7BA6DE9B8ECAD2D1F3831A8AAE5D0061663F57815BCA19F2580C824EC599891726A240292E6AB289013A6AE971E2A0
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sBIT....\|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(.U..k.A.....^.W.Mj.D.P.^..._. .BJJ.h.....Kv...&B..............H.....6..1.22s..t:............4=.......#.#\]..s......./.....t..{;.....+<y\|.4=Dr..(....>..d.]7h>8.{yT...N.........m...c...NO.X....V...F.7. ....n.io.n...I.T.2..F....q+`..$.0...!...P.{U`..1...'.J..B.w..1.!...<...J..[.........j...A.<.c...A~...R.Z<...85@.KI\....1..m........\v....FU....`.T.e.#......_`.rC].s^.S.r]W... _.C.Cu...ju.....5._...P....r..^A.r\^\|.$y...&..<......y.e..s\.....dc.....!O..qE.h...I..s..Z...?...4f%......IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-6RRLP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	139
Entropy (8bit):	5.9354638900987355
Encrypted:	false
SSDEEP:	3:yionv//thPljll8ll3MOgkBQTBlH/DVgPMWwnPUmLdeAkhBsF6c4V1B/0wXjp:6v/lhPW/cOlcBZKkWoLdePhq2BcwTp
MD5:	5EACCA1FC3A11F7E844B3809D9CAA537
SHA1:	86AF79F715B3921E507068558EEDC94EAAC677C6
SHA-256:	57A9751B8A85FD13C3F0C9EEAEB3B905D7B8802779EFE407E13444468A15C396
SHA-512:	997D5D631FF90CAD01D1613A347BF2C1F9D0723AF29A5CA52494BBEF97F4FA50040B171FD371F8A8FD31DDA2933EF0752ABC3056625A9DB747BC5E24EB6F7CD2
Malicious:	false
Preview:	.PNG........IHDR.............V.W...RIDAT8.c`...........0h)._..` f....!...P9J....@.F.....;%....@,EI`..b.J....<..a.....z...l....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-740LV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	GIMP XCF image data, version 0, 32 x 32, RGB Color
Category:	dropped
Size (bytes):	3977
Entropy (8bit):	5.413488066014333
Encrypted:	false
SSDEEP:	48:7dsNCv/C/CVGhkFTKfyeeocjI4Dc8oPjZ/narUX0Zwnc1ZHHdOkdsFVpAa:KcQ2Gyejc0QoPjZ/KKgwniLsFVpAa
MD5:	1339E8669A986ACB3CCA794EF7E67ABB
SHA1:	8295D74B144481F86B928D0C9A2F16AE0FF86F7C
SHA-256:	4D58C67A4095BE33201E16C2545B28DEF1CBA2D7690F0540877866CFC7ACE230
SHA-512:	DF9AA421947EF90713D0F9D2648803DDC975DB7FDB67F2941A9CA7FD489C9734081FE085C4ED4335C798A05CE2028D84C22A4948C558FDCBE86593CFEBB6A796
Malicious:	false
Preview:	gimp xcf file.... ... .....................B...B..............?........................gimp-image-grid.........(style solid).(fgcolor (color-rgba 0.000000 0.000000 0.000000 1.000000)).(bgcolor (color-rgba 1.000000 1.000000 1.000000 1.000000)).(xspacing 10.000000).(yspacing 10.000000).(spacing-unit inches).(xoffset 0.000000).(yoffset 0.000000).(offset-unit inches).................................5........... ... ........New Layer............l...............................................................................................................+...........=....... ... .......Q....... ... ...a....E...............................#.E...............................#.E...............................#.E.............Vq.q.W......?......?......8......8..............#.... ... ........New Layer#4............................................................................................................................'................... ... ............... ... .........................."..

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-87U03.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	206
Entropy (8bit):	6.093633689706192
Encrypted:	false
SSDEEP:	6:6v/lhPW/f19VNtTlMGBSCghX2AGBIcDV6fr66Vp:6v/7uTVPTChXCBN8fJ7
MD5:	2DE4E41A0E31A4C0FBB2D7FC3CBC31CE
SHA1:	0704F540352C579647D28E5E7821D7CA7FCC6613
SHA-256:	FBEC4D0BC6ED3DFDADADFFD10EB9F04058DFC11E7248DD73814E7806E58795FA
SHA-512:	FE60C53AADB80B6B922E17B822710A6820046C07D2742694BDF3019DD025EB8ABF4366849BE789E122B7053D5B7798D1CEAA9A296C3D007C557D95CDFFEC0115
Malicious:	false
Preview:	.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME...../..v[....[IDAT8.c...?.50.A.o.../...hx)T.h.x....Lp..yI..?..D2......F.@....P1..[.....C ..4...m4A.G..F...=.G....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-8FQ1H.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1555
Entropy (8bit):	7.796645823149652
Encrypted:	false
SSDEEP:	24:oqhLS0rCCBSazjoXK2RM1EpIuNF0piVLDlZLfciK3ZCHBJW:VjrBBSFXKP1ECuNF0piVLDlBfcOM
MD5:	486390A2CE5B4CC1393AC254780A7C7C
SHA1:	4305181EC1910A666A47C3715D27F5CA6991D688
SHA-256:	AB3BDFDFEED5743FD4AF47B0BA6AAAD914661DCE381A6FF8C8C8994363F83909
SHA-512:	F3F6051BA679C6F329A18E97F12CB6FFD9ED18D0F054C79ED9F2FB5D23F0484A12DB0FD16CD47F52B67E3D617F9BE728F9BECC850CF6A61FE9B74ED9701C2DD1
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME......._......IDATX.WIO#G...+;.Ab.@B$...&...Q.?B2Q...[...8!qEB......bK.....-!..n.....Twlfh.T.v....Wv...eY....Fjiii.R.\|..T.:..a.^.@.U..Z.......~yyy{vv....F.."..NOO....z...S...+....:;;. ...n</....^.xx(_^^.'''.;...mmm..eU...^....011....L.......-...y..Vx...}...A.X,...>..............G....\|?99.077.=00.......L&..h._..e....U(X....w......w...?.;;;_.........`_www[___..@.Q.H.O..........$,..r.J.P.nnnV..{....{j.....B@..c....!....u....C"P4M.b...V`./<,\|.....t...J6...^...H.3..-m.}..5..)..A.0.-Z...!.......V....".:....Y#..z$^H.......eZBa.[..cXd....P:f.P>.&...<....-..v.2..J..DV-.5..i.Z....F....u E.%9...(p....Bpu...Gp...P.]..j.....U..i.!b.....I.NF(.5.."-.n..L.V.1I.L.D>-..2..Ih..}.J.`;.......u....0..=CC+.P.B.i.@...+..............:1....N%.M<e.....XAUF.W.Sb.M.f.=G....be..j.'/...$#.H..0...^......=..u.1s7.B......L....RO.L.Y....T....].Lk..SS..I(..4.Lwf.3N...=...sF#..o9.MK."`...

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-ASLBI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	137
Entropy (8bit):	5.807754777184353
Encrypted:	false
SSDEEP:	3:yionv//thPljll8ll1AqgRtKq2HYGHgsG0z4H1iBLq/bp:6v/lhPW/WqoKq24Psjz4H1ipep
MD5:	BDBB9972D9B7265AD10EDB04A9C2E239
SHA1:	DCA1CBFD90B5C644E37DBB6748227E3EB472E0C8
SHA-256:	866FC4117FC8B133D84C9AC96D13A37E99EBF626CEA47F0E8B059B6641FFC7C3
SHA-512:	BA6059567C6EF35161BD3A82D320EFB8E16435EBFF9CA851AC724A58F45726621BCF7F380DBD2A94A29B5DD919FEF294E7440B31F2B2FACC42AAA1968144020D
Malicious:	false
Preview:	.PNG........IHDR.............V.W...PIDAT8.c`......._..)5...#.8..y(1.....\C..8.. .[.TCX.8........b...+@.Abr.Ip....2g..F.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-D9A7S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	434
Entropy (8bit):	7.191504491746101
Encrypted:	false
SSDEEP:	12:6v/7iIGMfbllDGOEGFo+bciyq44LnHolz:HSbHCOEUo/W4EHa
MD5:	7E5A76C4CF167C7549FAD937DC8B3DA3
SHA1:	7BDBE8BE6737C51C292AA8F51F9586DB0432AB39
SHA-256:	77D9DBC6CC93882EEC1BA969D14AD6C0FDEFE35302F0F930751C4B5BAED2ABFE
SHA-512:	30D230F3F7A62425D92B5227D482E000741C34769BB88CB0F4EDABA782D3834892D9C0A1BC4468DA667951FF489453FD2B3B426ADC38BF6BA5EA34CEEACCC077
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........A.....2IDAT(...j.@...O..b......l..>....v..U.....X.t.L....x.{.Q.n....A.m/).jG-..)..~....2-...Ey..jQY....u=4Mcr......<.i..7..........(..s..i.....+.......!...^V.v.. .f..b1H..E.Yh.w.........7..$...5..R.....f.~.T.l+..^.<.....'&I.1..pG'...i...d2.0...DQt..Yny.".`]....%@.)?L;.u..........yK.....s~.}...?.8.Ty2y.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-DTCOR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	194
Entropy (8bit):	6.478660891705174
Encrypted:	false
SSDEEP:	3:yionv//thPljll8llsAX81qfqjovwzflWfXbbt8i7ltydfIxDGKuQ11iEUvWK2K1:6v/lhPW/sAXkDokflSoAkpOKtMyldp
MD5:	88BC92E4CF3288BA93CAF398950874CD
SHA1:	F1B9F2C5EF5566C5BD983B5E1B3DFF17B06412F2
SHA-256:	258CD3545E4E4A9CF32F31FBD1AAF19869118F2B32CC8AB88C421D53F0A63D6D
SHA-512:	07DCA4BFC9581F425D7BAAB13E91668A0F1C832518DE7E98C0F872A305401B68B1D1C6DB56A81CF55A81E6587DD57168AF49D5676FF24C07A0BF6B0E04FADF8B
Malicious:	false
Preview:	.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/......Q.@..9........{..b..U.0...&HQ.5........P.W ..;......hc.3.....B.}........h..f...;l^.. *.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-EB74Q.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	195
Entropy (8bit):	6.589496150082679
Encrypted:	false
SSDEEP:	6:6v/lhPW/YkNWoInpCU14phhk1NWMUGHgyU/Hljp:6v/7uSoIpCUKhhDMUrymlN
MD5:	3043F969482A1E805E6DCA44A6072881
SHA1:	B5764E5B1B26D11737D9307A70E14403E7063A4A
SHA-256:	10A3799ABAABF93F03FD86A23FAFC6C68EB04B5BFB86497F04505DF151E1177E
SHA-512:	3BEAAFABEEF07E3BB7E95DC6C761157C38B9B2B2BDB99C517C073AA137950BFE010C0BDFCC29E955B6A46D6BEED4AB4D8D8D1EF580DD23E8A6B0F471E1FEB4D3
Malicious:	false
Preview:	.PNG........IHDR.............V.W....IDAT8...?..A...E....F'.j....DG.U$......N.\|.....r..k.d.,..$4P.)R..}.F/.h..)...Q..c.%.x.t.8.jc....).......,p.3.i.k...v.F...X....^...Y.........q.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-EF331.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1442
Entropy (8bit):	7.754161124979248
Encrypted:	false
SSDEEP:	24:oq2vym+9kVWUOASjz39hd/9uinkxIyJubx/98nDDJFPyvfCDFHTCyFm+3wTf8f4C:aqmzV9az39z9hnkx+2DfyyD9TFAAwTfI
MD5:	46934D3CAA685BB0DBECF20BAB8BC317
SHA1:	DD61BF668D265AB3FBB61C6CB6CF25778632154F
SHA-256:	AC57AEA1D66661974EA2922733661B27D26D3C2026321E77A2A9ACE1CDAD558C
SHA-512:	BCB6D969F8823196652B4093988719C9F51940890D212A0E743CC887C46BE3DAD00D95B47970F1E682F3A40E7F7216EBFD4B37626AE130FE57F7F3CEBA718AE4
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........bKGD.......C......pHYs.........B(.x....tIME.......E......"IDATX.W.J,W....jm.A#>AA$......$....q.....!B.Cp..;1...p((...G=.Vyve...+...>g._....q.:..[__/.--}.....w..X.s.....y...N.EN..9.<koo.smmmknn...!V.b...OOO.8==....'........;;;}...}z..+.....vrr.8<<.........._....755.............r___G[[[+....%...z...\..T..........Ay\|\|\|.........O...w......._utt..D{.T.......1H..;.Z-......u......?........../....J.......m....F.=D+Rk.....PP.\..Ix....Z?;;.666...}.xW.{Z\...j....c...X1..zm.>..y.!...S.u.....o=l..n..._.f....R..P.."....~..8......l..`.;..B\........>.A...7..Q.F..4..=./.B.......eY..$.<..r....A..$.$.<.`)...........C...V...8.......^.....D&........r..Y9.K.....8..C.....%.UV;*....^. .d.....v. ......M...X..M..zR...H...'..'._dS..P.?..2S.MT......4$.....k...=.eL.^z.....X.e+.......$..sG..qm.vB.........&..I..+W....Q. ,.M.+.-Q..$<!.t....wi.rA..(v.kW..&.p.-.(..u+.j.5.y.....2N.....0....kW....5.y).J1. xDW...x..0.d.p.\S.d......l

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-FKLBQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	208
Entropy (8bit):	6.056729441397141
Encrypted:	false
SSDEEP:	6:6v/lhPW/f19VINtlMv+YftbtCETdkth4EN0QIVp:6v/7uTVI6T6T4ENRI7
MD5:	3DBA17AB50E1923EB74BF395677EFA06
SHA1:	F293297F4127A788E07D365FD4AB5EB19C7383C4
SHA-256:	33BF303743432947AF7E5E4FCFE7A7FF453FCFBFA6ABDC24671071B7C205DA84
SHA-512:	618BFD415108DDB51B7A1D1003D5E40A417BA36F612EF6FBB5F627AE7FDA2388AC2F08F8BFBE5CF6F172DF26737773C902A85FD98DEFB0CD7DE94B3CFF77FAD6
Malicious:	false
Preview:	.PNG........IHDR.............V.W....bKGD..............pHYs...........~.....tIME.....,"E......]IDAT8.c...?.50.AT5....(1......../%. 9.._.!`19........,....5..a) ^..?)5....@\|...F.<.F.h^..A..p..:.j=....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-H7BCB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 8 x 8, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	69
Entropy (8bit):	4.258998795700668
Encrypted:	false
SSDEEP:	3:yionv//thPlv5hrl6hJbF/k3ollkup:6v/lhPZcJq4ldp
MD5:	A7204A9D9C26A12DD3C0B069EFD8ACAC
SHA1:	5E1E54C75D7D83147DD57DCCBCC5302D1798B21E
SHA-256:	FA56F736618C032485F27BA183FF0D5226006E2080CF20813AF1C6A7B93F4AA3
SHA-512:	7401056BE66AE9CDAF9EFEF6DBA0F96384964DA491F538C35C283419EE819F767D6BFC601E2FEF8445FA25A447A5550C6CD8986330329981B852940EC334F08F
Malicious:	false
Preview:	.PNG........IHDR.....................IDAT..c..`.......%......IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-IR2TJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	333
Entropy (8bit):	6.65458733329839
Encrypted:	false
SSDEEP:	6:6v/lhP6IcHMRfCCllSJPwlzkv8z8zKWHCB9mowuVIRmCtIyWDoKby2Fb/67YEFp:6v/7iIGMfbllL5zMKWHCBBIRwyW0KbzG
MD5:	16CE13BC8208F1C0B9422FFAFBC46C6E
SHA1:	FB6B11EE39E0143A056385B25761FCB0E9ED980B
SHA-256:	1EC3BD426CCE1B1BD23664ADCC11FE51D04DE791FADB6A731DE7EB5076B26163
SHA-512:	46EB74547599EED50ED554DCAD5567198D20AAEF7B8D0F2F22E1912224F381F91F5501E4985B007945FC5D4A12B85ED0E06184168F6EE614135C8AFAE13334A5
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME......'.i.h....IDAT(.c`..@VV.WNN.]FF.WJJ.OZZ...............Z...B..Alsss.SSS......,CCC..$.q``.\XX.5N.UUU......pII..N.3g.4....'N.h.S..;U.]+..hXf...j85>~....+j.O..>~..$......8s..+....?..?..{'...{./_.H.}.y..0.15c..B......IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-J1RM3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	559
Entropy (8bit):	7.393060209024772
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2H1ClNHN+5CWPctjcNirsMD0YrO5kOBMlz:HS2HkHeCmPGxbibO9
MD5:	C720EFDABF3F8B47BD07FCFE80AF5608
SHA1:	A63400832DC55C911113C0176DA2EE6DF04F5D4F
SHA-256:	C81909BB15E1417A075DB27E1FA348C9371F68BF55B434FC70FB28FD5AED37AD
SHA-512:	1EF5ADCDE29FC4316DB7292D53741C3330BF17203B24EFDB6D1112413763FE37822BBDD9008B0C0E7A2210FA519D56922CB574C23043A12954FEF9ECDCBF382D
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0..a......IDAT(.U..j.A.....#.B.B...H!.Jc..". !u.@.&.E .`X.Pl....].s....\f...=g..\.b.z..,.j:.S;.N.<.>.....N..4....=...f...{.BA<..t..$..f.........r]..Z......iI&....H............J...@A.X,>@I.....q..b..T.Vu...._,./.v....3...}_'...Q]...H;a....T.c..n.m1...g..J..#J)..\\>....#.C..D.3...d\.^^....q%hlse.....~..L.f.L.LaZ..g.Jw...n....y.......>....M1.I4.. ...@...A.1... . \|.lV..[C.A.n.P.U*.T.\.r.... ..8..FK...#w;..y.r...]...............IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-KAQIE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1128
Entropy (8bit):	7.702657785044095
Encrypted:	false
SSDEEP:	24:CiUpjur3mHiYuZssTwiTn7JgcOc/irhx1F613aC8BLZ2cL/Fsc:CNpj23hnNTwiTPzU6t+JI4FN
MD5:	3F6A543B6C75ACB2EE000A3BAC7B9A59
SHA1:	A53275A9B4F65393301A1C787B67E87FFDA8234F
SHA-256:	3FACB849498CFA7CCF96BF7B02C5792C0DC49374EA7DDDC8F78E7ED53A96C72B
SHA-512:	E9E98AFF394E4ADAEA3C79096BD8DC865EF539D67F9E3030FEB7F4FACAACC1278606592228A19733AF99128966530CEC1363E9C6DAB6C555DFC0D8C7ADB51517
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sBIT....\|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDATX..=SSA...........G.+F....._daaaa..a.....JG+.... 7$ww=g.ws..A/n.~.>.y..+}......=%.Tn..m.....Bt.....N..'.....Z.'...........;....[.d.....~.....9.LI.?>W.........It.W..m...N...x&8>.....}....0....JoU,<X$G..m..YV......w..L...:n..FJ..!......."\|.......C)........)p...)F....[.Y..{..jZ@.j.s5xv.W.\|L&./.^.u..y....h..4.9b..}$..q.....".....{..p..9;.s..Ul.............^......p...d+.....u......tZ...B......d..Z.....q.....'H.}...g.jl....~a.ng...m.....mw.fp..0....,MI..v.W..7........l8.s.K...2....qB..\|:.\[...Nje...!..L.^q.Z.hU..f..35s..hK.......R.. $.-..:.......7.p6N.i.+.....u..!RE8..L&...U+...s.x.O.s.H.U.R.E..>z.".......".DB.....9F.......h...W.<.....KH.DO.}.q.!.....<8.c.J...A.\|.S..}.d..ZL......vh....<.#.......W.i..+...m....p...8..Q......A....7..f.sk=.....!.%........tY...S.+...t.Y....1.97P!..a....a.%.m9[~I..K.?..tB.v.L&.[-.h...D...J'......Q'4...59.......I.s..

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-KMOSJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	220
Entropy (8bit):	6.113077361175645
Encrypted:	false
SSDEEP:	6:6v/lhPW/CsQH4dKcDA/M+DPu45sC93H5Adp:6v/7ugHcZuK45sC9X5C
MD5:	0BAE3C12DFF85642E6DEBB90607258F0
SHA1:	2B369328373C449DA154FEEC4235464F53AC27FB
SHA-256:	8C41C0E27B9D85D5D49BF44F00A096FA18680E85077FFEB9EC65750F1EFAAA41
SHA-512:	D86BAF78EECDFB96E857D1749BB0580F6230F83D54D4F4843F94EC6335AF339D22560A00907E897A9BB427200305B83056B4649321ABE0C719DDCA89549639D0
Malicious:	false
Preview:	.PNG........IHDR.............V.W....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.www.inkscape.org..<....YIDAT8.c...?.50.A.. w v.. ) .....X.\...x...X..#. . ..d./ .&. . >...\.b^R..ze1.^...M... .1.....d.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-MMH70.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	437
Entropy (8bit):	7.172409807946269
Encrypted:	false
SSDEEP:	12:6v/7iIGMfbllRNTwF4Aca6vxsbrVnsgP7F9J6Jz17:HSbHRhwF4A56vuZ/Z6t17
MD5:	E51360FDC759C15DEF4ED591275F6E37
SHA1:	723E725BAB93316AA5CBEEAF65A782777DD28983
SHA-256:	559FD805D661B05A7B67119EF93067D6BF076D5A92470F343332D80EB6C67168
SHA-512:	8BE34022F9188993A642A10A31D3AA05865254C69134726F5C1891E6537AF94A6E625D63A6E8D3C058A10E49A60D03C407AD8D6D70F09452D91957680D99E115
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........Oj....5IDAT(..IN.@........7n.....\.3@....0&2...._./..J.Tu..5.8.fQ...;......\|....*...[.$..>.#..z_A.,....\|;.i.^.2^...5...R..U..y.,.8<...<.-;cJ)..E.(.0.....Z.s]..B....:..1.;dud...P..D.G.J..4Ml/.l..!.3.H....q.I..H..a.....I.uK`..^ ...s...2gL..\..(h@!.....R(S...8....a...K.kAf..."V.h0...N?v..}.~..c...t$!&.lo?..z...qm....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-NSTRM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	194
Entropy (8bit):	6.427379953657502
Encrypted:	false
SSDEEP:	3:yionv//thPljll8llsAX81qfqjovwzflWfXb0oWhAm2KWmLk8vJvP+u3tKDhqcl1:6v/lhPW/sAXkDokflFoWhAmtW6k8ZUbp
MD5:	830FC62D759022DDBC665F1D8D2E9164
SHA1:	84FBC1F8F3770905AB365D465C956756FD62E15A
SHA-256:	0D0ED367EC6578DD5DB6A3637A5CFBF6DDEEB1CE12953C1DF09FEF8F8BD897AA
SHA-512:	B948DD792BC0379AFF1DB46A8ABFE5803005E3C5C1BC2F2ED382C4D5AF09DCCA7C8F98400B46B0C5CC1100CD492A8D1C3B90A5BE9B2C5EA2537DAA7911B3458C
Malicious:	false
Preview:	.PNG........IHDR.............V.W....IDAT8...!..a......I.h..y......U...,.@3:O..E!x/.~..h..f\|.u.....4.]hc.3.....@.!v...!.+PC.k\=.A.....1...0A.*H.c..{.Qb..RTA..r.(P.@......;'...!\.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-O1V5V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	128
Entropy (8bit):	5.703022629772099
Encrypted:	false
SSDEEP:	3:yionv//thPljll8lli9uOgkBCvMibqMGuNGpNfodyfsiB1p:6v/lhPW/i9uOliMibqMGjAMkijp
MD5:	65B820457098F3E41079DB7B024D6911
SHA1:	2D35F7523C5F990B810FAD7E2DFB1E2E46DC94AB
SHA-256:	3CA8816EC6B9E88958D7D33C3532CE57223E5B3454D2AE329A54C964590034D6
SHA-512:	52FAD1A53340EE03016E6B63364EE937BBA8C1FCBC8F491011D707102100F9BFCBB62C5D0B9D3F40BF8CEF48E4E9566271019CBA10CD57C4ACFA05EF210DF4E8
Malicious:	false
Preview:	.PNG........IHDR.............V.W...GIDAT8.c`......./...0.....X.R...8..S.....(5..#.X...EQjP.4.x(.l...........g.*Uug....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-ON4S3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	324
Entropy (8bit):	6.776590990847706
Encrypted:	false
SSDEEP:	6:6v/lhP6IcHMRfCCllSP7k0Rt64huUPOfsIuDRWi9I1z2He4hsCvJgVm/kup:6v/7iIGMfbll8g0RciuU2fy9I1zg3lJP
MD5:	389BCEA15865028B56A0A70C87E13DCA
SHA1:	B771E6A3E73B2B3E4B440B2E59D98E9D7F3B60C7
SHA-256:	5CAA4636ADE7C9B36E257D1AB01D06FDA59310781F4C1E5B527342D5DD8B8DE3
SHA-512:	BDD82387E62B1726B402B1BE8B87CD2BF02C794A77525E4780A96DAE71E6CBF5F17261706A161A7AE1FDB8F15542DD2A3046ABE0A3328B5139C99F9F9CDDDFA3
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME..............IDAT(.....0....Uh..C#`....&._...p%..qs.....H...K:....E.S...u....TU.+.R5M..B.m..y.._... ..Zk9M.`.}.>..C..8.:..I...8.....a.v.......h.b..A....n.T...C...c.%...G..i.2J.+.J)GB...wY......:...,.D.Y?..F..Z.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-PKGSM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	135
Entropy (8bit):	5.763983120472731
Encrypted:	false
SSDEEP:	3:yionv//thPljll8llrAkxHgbcMktxY8ot4sUnG/QgjOD4l+dCKolkup:6v/lhPW/skd/Mktx+thzjOciCflkup
MD5:	C1E1CF920D57580A1337044D9244B41A
SHA1:	2713C8C06B08A204042B3BF92F6E31724E965E81
SHA-256:	8BFC445B29843719FB37F265F727D4E9E6F6C0814F054A6330C096022CA7995A
SHA-512:	87968296D3A160EEA1C3CE012300DF21CC59ED57ADE023B76E9238AE37F491B3F585663CBC4ED86A99EA1E3C4E392672E0CEA803A2641C9F05651E62240FF358
Malicious:	false
Preview:	.PNG........IHDR.............V.W...NIDAT8.c`...........(5D.....\......S.8....1D..#...QjP...A.....E^C3P....z.......g...7.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-PQ5T2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	193
Entropy (8bit):	6.5470203907323725
Encrypted:	false
SSDEEP:	6:6v/lhPW/bkgGNdjs2jOTS3Bs077TxUVxhlup:6v/7uzkgG7Y2yU14lc
MD5:	8FB0652E37E5375EFBFFC85E000333EC
SHA1:	98DF46702AB67C5CFF30922BE409209CEA30A6B5
SHA-256:	90939B8E3B4A568724143D056A93CD7B5528D4841A9D11EA0A4B11C2A35A4E03
SHA-512:	EF67A9624AA003A77724CB90F456A84181746E585003B31AE714A2870FFB3B2F069382CD7DA464FDE6BA68C37A94AE42CCB58B80E0608D41EEF30A81260D5545
Malicious:	false
Preview:	.PNG........IHDR.............V.W....IDAT8...1..Q...Aa....R......h..~,...:..)..S.7.f...r.I...Rd...a...X..g<p...tBE3\.....&.rU^.WW..!FTF{.5....8b.>.1.o.,.O..........i......IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-PT894.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	556
Entropy (8bit):	7.316549998180671
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2H9fw3E/3lkWcxh66ScOaqgx531nDqLwzIdjzRvL77:HS2H9YU/eWIfScvbnDzzchvLH
MD5:	E4118A159AC2AAB1876E440CF770CA3D
SHA1:	27A28242395D33530A955D2D6FE479A9D45DB0CC
SHA-256:	08268FF255BFD01B6AA0184ECD06B5A0C48D016BC429D3B155B7149A8CD10FDF
SHA-512:	611EAC1EB04097730CD7B8D9C52FF7DA5D2F741E8C4A54F291C0137B75DD326F42CF35AEDBDB17D153BA20845904BE9F1F3753069B36D3050E907FA5C3D3461A
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0;..]....IDAT(SmR-o.A....;.8.5.....T..V`+....6.....L-..... ...Q........L2...y3ogF;..BI.Rq5M{.u.t8...3......{..j3..) @O.\|$...b..q..z.......F3$x....$.4..l6...[.B..<...R4..E....k.r.E.^.X.K..b...\|...J0..F.g..y&.TM&.n>.......).@[Uv.Gx...z...G)..X.hT.-,...XL...V....\.g.W....).. ."..<..Z.N.j.d..a...D..8).L.`...b.F{0.<b..A0.DUB.J:..I.mr.....t-f..V+.d...\|.....n~....g.....~NW.'...t:c.....R)....(.d..v.`...V...e.f.!........)...[..-./..._x=t<....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-TBBP5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	549
Entropy (8bit):	7.372873904443628
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2H0ZF0NS5rNgZK5S80iwpLboX30XuQBMBVEB5Hk:HS2H/NS17A8v1X3wuxYY
MD5:	FA26AC420BEA517A2C4247572E33842E
SHA1:	06DE61402AAA1A2ADC2EF2969E76B7200A9D13AA
SHA-256:	8D8451A732FA6662F6FCE32CCF6751E421C6FFC7C5B819C29AB1482967B05FFA
SHA-512:	8850CFCD06A82FA41D4B30F88DE5485857B2BD1B548CEC4A7F38B78E3427AEDA01B44762161D8352501F6AE0EBBAEE82AF71F52296CCB93399B4C01C6864D382
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0.[.......IDAT(.mR.j.@........(.".."~C.n...Q.!...n.u.O.).+A.*..&>{..)..\2s.{....z...m..W.T.r.<0.....po.. 0X..Az..3....J....L.S..f.r..P....."I.T..hx.fS...../.lV.(..z-.~_..qx>..HV....b..J%Z...@.........e.X.A.%....LFN..&1.&..X.......l.,.T..@....m]`...j...b.s ...c.Z+.N.$..R.@.i..s.H.-....).0W`....I..D.x/xF7.(>.~..LuCf.L$..a...`.}...q....=5.! ..r.........I...6..8.]rnF...j...j5..-...\|>....$@.nG.9. .":..!...x<....._.....`7....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-V0QF9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	517
Entropy (8bit):	7.3380534299819
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2H4ZZG1CXGrA0JI/88sXEZ1gBxPibGo1+bsI:HS2H4ZGCWXC/tHZ10PiaJP
MD5:	156D5836B29559FD2A8AFACFA2931192
SHA1:	D92B24898B7483591E5B088C60D05B73355AD0EC
SHA-256:	ECE2829963DECBC954FDBC7F831451D36F1248EBDEAAC181B68AEBEC00BE3555
SHA-512:	591CCEED7768A3D6C87A9DC7EE34F9B1A1463AEE30C184027C24294901179BA9C6BFF697FD7004E22F12605D45CB7BC18FFE1C9D7D798A7AB40004FF36FBC656
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2.........IDAT(S..Ij.Q....v..a..m..(...}...!.&!'.W.=T...mW.....<t..X...$.....E..G...R..;.i>.C.z._...p8\|.n...o6.w....r..r9.8..M...h4.....;q...7.M.t.Z.Z-[*..P((.Z.R.......l`.AN.%.LVR..aY.!...@...#......^i4........r...nG..^....f....gd`.~0.9hD,.S.a..>e2.8T......E..t..x.= d..".._@..$...Bq..m=....f..n#.,.t.Z..EW...o.1w1B]p .....0b....w.^'...=.`p:.tD\|.d2...i..\..=9......j......<1..._...+."..V\|....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\is-VP1KS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.307082621377148
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2H5kGLptWrJMNbLtUWrPwIfYSA2go4aOq07:HS2H6G16JEbSuff8hnaOq07
MD5:	9BBFAFFA43A8745739977748E1680DAB
SHA1:	A2DE96CC6B8D6A22F2E517ED8828A0E65769C6EB
SHA-256:	EAD5682AA1875AC0664177D32B817A0BE555B90AABB88DD8FA914FAF42125896
SHA-512:	3E1E77835D3786D1FFAE02EAEFD41FEF7BD55955F08806C176A5E5A06169029F07E194D001927E5AEAD066FA41C90CA1B41E354F274C3AA1C6A78EF0E37717E1
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2...i....vIDAT(S.RKj.Q.4..=.....h.......].....y...E.j.O.....d.,.7..._.......`0.....p8\|...}[..H......t..j...l`.6F....2G..x.D.7...^..8......d..{e%..H$.\...x..j..~....B.R..d......}d2.d.Y..u,..l.[.v;....P(.4..D..+^....<.."...g..Q.Z..r...4!E>..LT....n..l4.FQ..VI.....&..........eYOVM6...@....5...L.T*.J...p.rq..=."p2.`6.a:.....I5.s........I..\.@..F....rB.b..I....'...r..O...{7.\....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\null.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 8 x 8, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	69
Entropy (8bit):	4.258998795700668
Encrypted:	false
SSDEEP:	3:yionv//thPlv5hrl6hJbF/k3ollkup:6v/lhPZcJq4ldp
MD5:	A7204A9D9C26A12DD3C0B069EFD8ACAC
SHA1:	5E1E54C75D7D83147DD57DCCBCC5302D1798B21E
SHA-256:	FA56F736618C032485F27BA183FF0D5226006E2080CF20813AF1C6A7B93F4AA3
SHA-512:	7401056BE66AE9CDAF9EFEF6DBA0F96384964DA491F538C35C283419EE819F767D6BFC601E2FEF8445FA25A447A5550C6CD8986330329981B852940EC334F08F
Malicious:	false
Preview:	.PNG........IHDR.....................IDAT..c..`.......%......IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\pbtroughh.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	333
Entropy (8bit):	6.65458733329839
Encrypted:	false
SSDEEP:	6:6v/lhP6IcHMRfCCllSJPwlzkv8z8zKWHCB9mowuVIRmCtIyWDoKby2Fb/67YEFp:6v/7iIGMfbllL5zMKWHCBBIRwyW0KbzG
MD5:	16CE13BC8208F1C0B9422FFAFBC46C6E
SHA1:	FB6B11EE39E0143A056385B25761FCB0E9ED980B
SHA-256:	1EC3BD426CCE1B1BD23664ADCC11FE51D04DE791FADB6A731DE7EB5076B26163
SHA-512:	46EB74547599EED50ED554DCAD5567198D20AAEF7B8D0F2F22E1912224F381F91F5501E4985B007945FC5D4A12B85ED0E06184168F6EE614135C8AFAE13334A5
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME......'.i.h....IDAT(.c`..@VV.WNN.]FF.WJJ.OZZ...............Z...B..Alsss.SSS......,CCC..$.q``.\XX.5N.UUU......pII..N.3g.4....'N.h.S..;U.]+..hXf...j85>~....+j.O..>~..$......8s..+....?..?..{'...{./_.H.}.y..0.15c..B......IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\pbtroughv.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	324
Entropy (8bit):	6.776590990847706
Encrypted:	false
SSDEEP:	6:6v/lhP6IcHMRfCCllSP7k0Rt64huUPOfsIuDRWi9I1z2He4hsCvJgVm/kup:6v/7iIGMfbll8g0RciuU2fy9I1zg3lJP
MD5:	389BCEA15865028B56A0A70C87E13DCA
SHA1:	B771E6A3E73B2B3E4B440B2E59D98E9D7F3B60C7
SHA-256:	5CAA4636ADE7C9B36E257D1AB01D06FDA59310781F4C1E5B527342D5DD8B8DE3
SHA-512:	BDD82387E62B1726B402B1BE8B87CD2BF02C794A77525E4780A96DAE71E6CBF5F17261706A161A7AE1FDB8F15542DD2A3046ABE0A3328B5139C99F9F9CDDDFA3
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME..............IDAT(.....0....Uh..C#`....&._...p%..qs.....H...K:....E.S...u....TU.+.R5M..B.m..y.._... ..Zk9M.`.}.>..C..8.:..I...8.....a.v.......h.b..A....n.T...C...c.%...G..i.2J.+.J)GB...wY......:...,.D.Y?..F..Z.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\rangeslider-ins.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	593
Entropy (8bit):	7.479894563773081
Encrypted:	false
SSDEEP:	12:6v/7iIniUpZzmH9D1hP79P2J2ySk9BvSpqKu6kZPdiaXVygV271:giUpMDrD8J2ySMKIZoaX0gV271
MD5:	FFCCEC64441F01C7AA82069BB8D5E9D9
SHA1:	45C02522F48129065104E1C9B4E6AC63434CC7D9
SHA-256:	B8CEB44936275B37F8D08F71F01F223866CEE50E53182D529A3768514A8C7662
SHA-512:	E8709643F6C4CBAA98F7BF870028664324DE673141F1B9FCE995A03D011C4374817846DCED739B4A3DD37D315A474F739ACAD2933ACA63C67FA0216356B8E608
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sBIT....\|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(S...n.@.....I#;.X.j...U,.@..x..Bx.D.....W..X.b...Fqq.Z.RED8...3.s..l.H..9s...9:D)..1^..m.........R.@...>.T...97..=..z[......i7Q...<...F...di.......R....]...F...u.......W?41&v.6.O^.%ko.\".qH...)....$..z.NJe{o....."..N....NgXDK.q...y...d.@.q].20.9..(...A.a\|~.J..F..$..2pn....$....N.4.2AR.R......`"3..R_....[v.h.n.!...5Gq..QA.Y,.....\..Z....{.h.............mU-..T.Ga..0.{....w..$K..?oN....4KW......'^py.fd..L.)L.z.O(..D..)H...............<....o....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\rangeslider-pre.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	502
Entropy (8bit):	7.307082621377148
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2H5kGLptWrJMNbLtUWrPwIfYSA2go4aOq07:HS2H6G16JEbSuff8hnaOq07
MD5:	9BBFAFFA43A8745739977748E1680DAB
SHA1:	A2DE96CC6B8D6A22F2E517ED8828A0E65769C6EB
SHA-256:	EAD5682AA1875AC0664177D32B817A0BE555B90AABB88DD8FA914FAF42125896
SHA-512:	3E1E77835D3786D1FFAE02EAEFD41FEF7BD55955F08806C176A5E5A06169029F07E194D001927E5AEAD066FA41C90CA1B41E354F274C3AA1C6A78EF0E37717E1
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2...i....vIDAT(S.RKj.Q.4..=.....h.......].....y...E.j.O.....d.,.7..._.......`0.....p8\|...}[..H......t..j...l`.6F....2G..x.D.7...^..8......d..{e%..H$.\...x..j..~....B.R..d......}d2.d.Y..u,..l.[.v;....P(.4..D..+^....<.."...g..Q.Z..r...4!E>..LT....n..l4.FQ..VI.....&..........eYOVM6...@....5...L.T*.J...p.rq..=."p2.`6.a:.....I5.s........I..\.@..F....rB.b..I....'...r..O...{7.\....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\rangeslider.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	517
Entropy (8bit):	7.3380534299819
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2H4ZZG1CXGrA0JI/88sXEZ1gBxPibGo1+bsI:HS2H4ZGCWXC/tHZ10PiaJP
MD5:	156D5836B29559FD2A8AFACFA2931192
SHA1:	D92B24898B7483591E5B088C60D05B73355AD0EC
SHA-256:	ECE2829963DECBC954FDBC7F831451D36F1248EBDEAAC181B68AEBEC00BE3555
SHA-512:	591CCEED7768A3D6C87A9DC7EE34F9B1A1463AEE30C184027C24294901179BA9C6BFF697FD7004E22F12605D45CB7BC18FFE1C9D7D798A7AB40004FF36FBC656
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....2.........IDAT(S..Ij.Q....v..a..m..(...}...!.&!'.W.=T...mW.....<t..X...$.....E..G...R..;.i>.C.z._...p8\|.n...o6.w....r..r9.8..M...h4.....;q...7.M.t.Z.Z-[*..P((.Z.R.......l`.AN.%.LVR..aY.!...@...#......^i4........r...nG..^....f....gd`.~0.9hD,.S.a..>e2.8T......E..t..x.= d..".._@..$...Bq..m=....f..n#.,.t.Z..EW...o.1w1B]p .....0b....w.^'...=.`p:.tD\|.d2...i..\..=9......j......<1..._...+."..V\|....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-h-ins.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	636
Entropy (8bit):	7.494209461570772
Encrypted:	false
SSDEEP:	12:6v/7iIniUpZVqDOd94j4MwzQPlA89rnKP69TRUQMGsVc7:giUpXjBMwMPlA8BZ9OFGsk
MD5:	FE02DBEC1FBF19F2525E9C87E3023C7C
SHA1:	9503756A6C1CB9C742B6852F121B6D8092C06578
SHA-256:	CB2D73D2E08790836F67F4CCA213206C071F2215D65CCD0099EDD2B9A912B578
SHA-512:	CADBCCEE87CB20DA46E1E4BD9241EE22CF7BA6DE9B8ECAD2D1F3831A8AAE5D0061663F57815BCA19F2580C824EC599891726A240292E6AB289013A6AE971E2A0
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sBIT....\|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<.....IDAT(.U..k.A.....^.W.Mj.D.P.^..._. .BJJ.h.....Kv...&B..............H.....6..1.22s..t:............4=.......#.#\]..s......./.....t..{;.....+<y\|.4=Dr..(....>..d.]7h>8.{yT...N.........m...c...NO.X....V...F.7. ....n.io.n...I.T.2..F....q+`..$.0...!...P.{U`..1...'.J..B.w..1.!...<...J..[.........j...A.<.c...A~...R.Z<...85@.KI\....1..m........\v....FU....`.T.e.#......_`.rC].s^.S.r]W... _.C.Cu...ju.....5._...P....r..^A.r\^\|.$y...&..<......y.e..s\.....dc.....!O..qE.h...I..s..Z...?...4f%......IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-h-pre.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	559
Entropy (8bit):	7.393060209024772
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2H1ClNHN+5CWPctjcNirsMD0YrO5kOBMlz:HS2HkHeCmPGxbibO9
MD5:	C720EFDABF3F8B47BD07FCFE80AF5608
SHA1:	A63400832DC55C911113C0176DA2EE6DF04F5D4F
SHA-256:	C81909BB15E1417A075DB27E1FA348C9371F68BF55B434FC70FB28FD5AED37AD
SHA-512:	1EF5ADCDE29FC4316DB7292D53741C3330BF17203B24EFDB6D1112413763FE37822BBDD9008B0C0E7A2210FA519D56922CB574C23043A12954FEF9ECDCBF382D
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0..a......IDAT(.U..j.A.....#.B.B...H!.Jc..". !u.@.&.E .`X.Pl....].s....\f...=g..\.b.z..,.j:.S;.N.<.>.....N..4....=...f...{.BA<..t..$..f.........r]..Z......iI&....H............J...@A.X,>@I.....q..b..T.Vu...._,./.v....3...}_'...Q]...H;a....T.c..n.m1...g..J..#J)..\\>....#.C..D.3...d\.^^....q%hlse.....~..L.f.L.LaZ..g.Jw...n....y.......>....M1.I4.. ...@...A.1... . \|.lV..[C.A.n.P.U*.T.\.r.... ..8..FK...#w;..y.r...]...............IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-h.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	549
Entropy (8bit):	7.372873904443628
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2H0ZF0NS5rNgZK5S80iwpLboX30XuQBMBVEB5Hk:HS2H/NS17A8v1X3wuxYY
MD5:	FA26AC420BEA517A2C4247572E33842E
SHA1:	06DE61402AAA1A2ADC2EF2969E76B7200A9D13AA
SHA-256:	8D8451A732FA6662F6FCE32CCF6751E421C6FFC7C5B819C29AB1482967B05FFA
SHA-512:	8850CFCD06A82FA41D4B30F88DE5485857B2BD1B548CEC4A7F38B78E3427AEDA01B44762161D8352501F6AE0EBBAEE82AF71F52296CCB93399B4C01C6864D382
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0.[.......IDAT(.mR.j.@........(.".."~C.n...Q.!...n.u.O.).+A.*..&>{..)..\2s.{....z...m..W.T.r.<0.....po.. 0X..Az..3....J....L.S..f.r..P....."I.T..hx.fS...../.lV.(..z-.~_..qx>..HV....b..J%Z...@.........e.X.A.%....LFN..&1.&..X.......l.,.T..@....m]`...j...b.s ...c.Z+.N.$..R.@.i..s.H.-....).0W`....I..D.x/xF7.(>.~..LuCf.L$..a...`.}...q....=5.! ..r.........I...6..8.]rnF...j...j5..-...\|>....$@.nG.9. .":..!...x<....._.....`7....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-v-ins.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	641
Entropy (8bit):	7.486329990930914
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2HcHsH4mHgE42VgbsrP2eByHKk8a4JLk++8/1:HS2H8mJJfIsrueEq9z+c1
MD5:	752E6CDC2C92BF4D22712F33A380CB93
SHA1:	07AC399AD6C9F72E97A1304E1324AD20EB42F633
SHA-256:	3294FEF8285A13B09967D3F631F8CE52C2AACC9A07604CD51B70811BED2ED40E
SHA-512:	9DC2C06873DE889B4E26AA9890B93E6FD37D04C73801865861FA46B95C2011BFEEC94B24F37BBD376C43E993FEE58D1C4A221AF09346CE70AF86BF379BD6CCA2
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....1........IDAT(Se..k.A...\|.n...n..T.%&X.....7.d_.".KA..T.J..Z.....w6D..e.e...=s......S.x..G=.....8"S.%/..\|.....8=y1....:2...;.B.(K.I.W.kE../>....Z.r?.7<.~....t...BJ.i../.J...tz......7..!.J,.#..v.....9.Y....YQ....?\|t............$V.@....zp...;!TU.M.......A..N.....[..V...&....9..xm..d2F.m..`.N......&.A.DU.....y.4....4....`8...\.\|...y...q.]^~......@qXor....Ik..3.@+..V~d...........?7k...`.C.P.ZT.....QF-E.{..+5!... .6..(.i..`m....._~..e.n5.`0..z...Qr..IF.E..9Y.....r~ [.@8...k2...$....n...orX'#..&........X....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-v-pre.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	556
Entropy (8bit):	7.316549998180671
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2H9fw3E/3lkWcxh66ScOaqgx531nDqLwzIdjzRvL77:HS2H9YU/eWIfScvbnDzzchvLH
MD5:	E4118A159AC2AAB1876E440CF770CA3D
SHA1:	27A28242395D33530A955D2D6FE479A9D45DB0CC
SHA-256:	08268FF255BFD01B6AA0184ECD06B5A0C48D016BC429D3B155B7149A8CD10FDF
SHA-512:	611EAC1EB04097730CD7B8D9C52FF7DA5D2F741E8C4A54F291C0137B75DD326F42CF35AEDBDB17D153BA20845904BE9F1F3753069B36D3050E907FA5C3D3461A
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....0;..]....IDAT(SmR-o.A....;.8.5.....T..V`+....6.....L-..... ...Q........L2...y3ogF;..BI.Rq5M{.u.t8...3......{..j3..) @O.\|$...b..q..z.......F3$x....$.4..l6...[.B..<...R4..E....k.r.E.^.X.K..b...\|...J0..F.g..y&.TM&.n>.......).@[Uv.Gx...z...G)..X.hT.-,...XL...V....\.g.W....).. ."..<..Z.N.j.d..a...D..8).L.`...b.F{0.<b..A0.DUB.J:..I.mr.....t-f..V+.d...\|.....n~....g.....~NW.'...t:c.....R)....(.d..v.`...V...e.f.!........)...[..-./..._x=t<....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\slider-v.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	551
Entropy (8bit):	7.319024742694981
Encrypted:	false
SSDEEP:	12:6v/7iIGMf2HRd4HSOKRcIzpsbPjUdb4pndLBaXeeFUDqtCmN09:HS2HRd4HSBR5KbPognzadIb
MD5:	731657BF68ECC98F0DBE29095CCB88F7
SHA1:	D3B49C3AD148EC96F3088371715121D32EAA7843
SHA-256:	F95DA774191F393BA0EB0436B4CB22920C5F880ED51010177E6E9189CD36C44A
SHA-512:	DE50FC25578922C8BE31D869B70FC0559C965022D6BCCF71DE6CDD541B424DB67E1AE1032AEBAAE03DF66744A27344194AA7994C9CE84317D1AFD1B437D9AA9E
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD..............pHYs.........B(.x....tIME.....04.k......IDAT(..R.j.Q..}..z.%..h.N..OHa../H.......E>!HPl...F\.+n\|f..1.......9.v.\H.Z.&4M{.u.~>.....w>w....v...)"......"...a....@....n.kN.`.kH.)...K..kY..N.0..#1...=..s...A..0M.\..p%.R...B.b..f3..........."......q.J&...).N.b....5A......@.&.c.!.d...\.Z.Vu..V....."H.xO$...e.HX,....WL.`....F....."...m[bu..c.B.u.u..PB..4...U..._.]......KY...l<..a .v..>.s.4.....f#..}0..d2.8A#......*wUU...}.N.?.p=rlJ+.J.n..J#.......7\.R.-.c%....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\trough2-h.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	437
Entropy (8bit):	7.172409807946269
Encrypted:	false
SSDEEP:	12:6v/7iIGMfbllRNTwF4Aca6vxsbrVnsgP7F9J6Jz17:HSbHRhwF4A56vuZ/Z6t17
MD5:	E51360FDC759C15DEF4ED591275F6E37
SHA1:	723E725BAB93316AA5CBEEAF65A782777DD28983
SHA-256:	559FD805D661B05A7B67119EF93067D6BF076D5A92470F343332D80EB6C67168
SHA-512:	8BE34022F9188993A642A10A31D3AA05865254C69134726F5C1891E6537AF94A6E625D63A6E8D3C058A10E49A60D03C407AD8D6D70F09452D91957680D99E115
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........Oj....5IDAT(..IN.@........7n.....\.3@....0&2...._./..J.Tu..5.8.fQ...;......\|....*...[.$..>.#..z_A.,....\|;.i.^.2^...5...R..U..y.,.8<...<.-;cJ)..E.(.0.....Z.s]..B....:..1.;dud...P..D.G.J..4Ml/.l..!.3.H....q.I..H..a.....I.uK`..^ ...s...2gL..\..(h@!.....R(S...8....a...K.kAf..."V.h0...N?v..}.~..c...t$!&.lo?..z...qm....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\gray_textured\trough2.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	434
Entropy (8bit):	7.191504491746101
Encrypted:	false
SSDEEP:	12:6v/7iIGMfbllDGOEGFo+bciyq44LnHolz:HSbHCOEUo/W4EHa
MD5:	7E5A76C4CF167C7549FAD937DC8B3DA3
SHA1:	7BDBE8BE6737C51C292AA8F51F9586DB0432AB39
SHA-256:	77D9DBC6CC93882EEC1BA969D14AD6C0FDEFE35302F0F930751C4B5BAED2ABFE
SHA-512:	30D230F3F7A62425D92B5227D482E000741C34769BB88CB0F4EDABA782D3834892D9C0A1BC4468DA667951FF489453FD2B3B426ADC38BF6BA5EA34CEEACCC077
Malicious:	false
Preview:	.PNG........IHDR..............H-.....sRGB.........bKGD._._._.4.....pHYs.........B(.x....tIME........A.....2IDAT(...j.@...O..b......l..>....v..U.....X.t.L....x.{.Q.n....A.m/).jG-..)..~....2-...Ey..jQY....u=4Mcr......<.i..7..........(..s..i.....+.......!...^V.v.. .f..b1H..E.Yh.w.........7..$...5..R.....f.~.T.l+..^.<.....'&I.1..pG'...i...d2.0...DQt..Yny.".`]....%@.)?L;.u..........yK.....s~.}...?.8.Ty2y.....IEND.B`.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-29IF1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	15008
Entropy (8bit):	5.270725103917416
Encrypted:	false
SSDEEP:	384:s/nUm8NYR/fiYM8LXMX5fs38Ffx4Bf0lAT9:s/nX00iY/XMXq38FxK0lq
MD5:	64C98ACB587FC7E4F237EADAA84A591D
SHA1:	B92C3D066E67FC230D56E690AE1CC21222265614
SHA-256:	6E8E87C68E7EFC5CCF8694042649DE3EBA01EC1DF242C22D40842AF885D1118D
SHA-512:	B1542C0E3D5411CD8581150FE2D81401C93686E7E43754E8BF8F78ACBEB73A041F7D9223D7DC8072C132273D1DB6EB9917ED04F9F2123C1CEA4062E59CD7F129
Malicious:	false
Preview:	#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "rt_base_color:#ffffff\nrt_fg_color:#101010\nrt_tooltip_fg_color:#000000\nrt_selected_bg_color:#7C99AD\nrt_selected_fg_color:#ffffff\nrt_text_c

C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-EV29A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	3276
Entropy (8bit):	5.106247394055059
Encrypted:	false
SSDEEP:	48:9yjeGR/K4ysHjBcKKFyY+fwVsFcDIYMkSnvRN55FQcsFnZFnFveKW+dFKeQFqer/:sjbR/njBz1QsFcUYnSR3QzwLwS
MD5:	72CACEE801EFA43AE137706B6A355D87
SHA1:	20AB5543B96FB36AE8540DF45022229E0A1EE780
SHA-256:	72EC12AEC248C88FA8D0EC7D3185F74006E45D092736B9EF8C15692C69A1355E
SHA-512:	FB2769296F2CF702E7387B6F959FE02EFC2AC96C9E782472C6CA93BD9E8C76FBE2BD725AF227E7444452735B96757C3ACFF51BE5D6A1FB6226E5FD7583D00FC6
Malicious:	false
Preview:	#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "salt_pinch:#95B0DB\nbase_color:#dddddd\nfg_color:#0A0A0A\ntooltip_fg_color:#000000\nselected_bg_color:#95B0DB\nselected_fg_color:#FFFFFF\ntext

C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-FU9NM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.136842188131013
Encrypted:	false
SSDEEP:	3:1ERdiAqRv:1+MJ
MD5:	2BE834BAC02BFB69E1E7935A62A6B8FB
SHA1:	6165F776AC298A991E497B03E9C2E1797ED81029
SHA-256:	113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
SHA-512:	1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
Malicious:	false
Preview:	[General].Iconset=Light.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\is-KAEOS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.136842188131013
Encrypted:	false
SSDEEP:	3:1ERdiAqRv:1+MJ
MD5:	2BE834BAC02BFB69E1E7935A62A6B8FB
SHA1:	6165F776AC298A991E497B03E9C2E1797ED81029
SHA-256:	113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
SHA-512:	1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
Malicious:	false
Preview:	[General].Iconset=Light.

C:\Users\user\AppData\Local\Zexter Video Codec\themes\slim (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	3276
Entropy (8bit):	5.106247394055059
Encrypted:	false
SSDEEP:	48:9yjeGR/K4ysHjBcKKFyY+fwVsFcDIYMkSnvRN55FQcsFnZFnFveKW+dFKeQFqer/:sjbR/njBz1QsFcUYnSR3QzwLwS
MD5:	72CACEE801EFA43AE137706B6A355D87
SHA1:	20AB5543B96FB36AE8540DF45022229E0A1EE780
SHA-256:	72EC12AEC248C88FA8D0EC7D3185F74006E45D092736B9EF8C15692C69A1355E
SHA-512:	FB2769296F2CF702E7387B6F959FE02EFC2AC96C9E782472C6CA93BD9E8C76FBE2BD725AF227E7444452735B96757C3ACFF51BE5D6A1FB6226E5FD7583D00FC6
Malicious:	false
Preview:	#.# This file is part of RawTherapee..#.# Copyright (c) 2004-2011 Gabor Horvath <hgabor@rawtherapee.com>.#.# RawTherapee is free software: you can redistribute it and/or modify.# it under the terms of the GNU General Public License as published by.# the Free Software Foundation, either version 3 of the License, or.# (at your option) any later version..# .# RawTherapee is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with RawTherapee. If not, see <http://www.gnu.org/licenses/>..#..# Please keep this gtkrc in sync with the other ones from Clearlooks based themes...gtk-color-scheme = "salt_pinch:#95B0DB\nbase_color:#dddddd\nfg_color:#0A0A0A\ntooltip_fg_color:#000000\nselected_bg_color:#95B0DB\nselected_fg_color:#FFFFFF\ntext

C:\Users\user\AppData\Local\Zexter Video Codec\themes\system.iconset (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.136842188131013
Encrypted:	false
SSDEEP:	3:1ERdiAqRv:1+MJ
MD5:	2BE834BAC02BFB69E1E7935A62A6B8FB
SHA1:	6165F776AC298A991E497B03E9C2E1797ED81029
SHA-256:	113DBDDEAEE29ED930AF404A0C0D5356A95D9D1B53BAE343F2782A29B5D4DBC9
SHA-512:	1F3BC0176EC15394E6CAD295A077F33C66BD9FEA4598715B5EDED4DDE397DE519FFC6D171E9DB53A09A50929FE6D8EDE5D4D51B5B786A0C3BE6481CB7A5BA4FC
Malicious:	false
Preview:	[General].Iconset=Light.

C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\is-14BEA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	720373
Entropy (8bit):	6.507155477779126
Encrypted:	false
SSDEEP:	12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyFZ:nu7eEYCP8trP837szHUA60SLtcV3E9k9
MD5:	74DE04C1DA3B854F12AE2E6C63AACF1D
SHA1:	18B6BEA4B7F04DF51BA3FCE01FDCB2A016714EB1
SHA-256:	CEB3C30CD6ED1CA29EE3A058D953BF2C7FE3B31452B4B8DD219D06D4138310E5
SHA-512:	F9E834F68ADCB2729ADF97AD96CBA376E9639D0348C326A0375B32623BBB5C08C782C5DFCC3505889179E6F9193AF0B8B6508F57D34CCD2F027C7E9A56FC077C
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................\|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	InnoSetup Log Zexter Video Codec, version 0x30, 10214 bytes, 887849\user, "C:\Users\user\AppData\Local\Zexter Video Codec"
Category:	dropped
Size (bytes):	10214
Entropy (8bit):	4.973629968718704
Encrypted:	false
SSDEEP:	48:XC5AyMdLBoMFbNpUcLUhS3J9J+4bLVO3471o5Bu0gf5y5M5iY5iV5iSs5iF5iT5t:LhWMdNpxUS59J+eOIhjlHIQN+kbk4/
MD5:	7AA35AE79D1D73CB0DB5F7374806ED48
SHA1:	557CB3B28C76D28055E5BA3426EA785E8470A95A
SHA-256:	3A416D8B96F7773E18C21705C73F92B274B7AB6204479BB24ACF33519334D732
SHA-512:	DE55BB4AE7470E40C5880F60FD0EFF44DA56F6CC1261A90809AF42AD31EA4385B0BC738E6AFA322ADDA8962D0465BA8828F0BCB99158720075774B6F051B6040
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................Zexter Video Codec..............................................................................................................Zexter Video Codec..............................................................................................................0...N....'..%...............................................................................................................y.Q`..................U....887849.user2C:\Users\user\AppData\Local\Zexter Video Codec...........'...... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:U

C:\Users\user\AppData\Local\Zexter Video Codec\uninstall\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	720373
Entropy (8bit):	6.507155477779126
Encrypted:	false
SSDEEP:	12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURFFDExyFZ:nu7eEYCP8trP837szHUA60SLtcV3E9k9
MD5:	74DE04C1DA3B854F12AE2E6C63AACF1D
SHA1:	18B6BEA4B7F04DF51BA3FCE01FDCB2A016714EB1
SHA-256:	CEB3C30CD6ED1CA29EE3A058D953BF2C7FE3B31452B4B8DD219D06D4138310E5
SHA-512:	F9E834F68ADCB2729ADF97AD96CBA376E9639D0348C326A0375B32623BBB5C08C782C5DFCC3505889179E6F9193AF0B8B6508F57D34CCD2F027C7E9A56FC077C
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................\|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2586624
Entropy (8bit):	7.0380268176847265
Encrypted:	false
SSDEEP:	49152:rW4JtS+gCIx4ICoueGCMZuQfgQxQ/jgYsoPZnvhuN4Q28g:JIx4I9XGCMEQIqJ3WnYN4Q28g
MD5:	96504F6C70AD91FDC3D32BF7C3FA2696
SHA1:	5253C2279D7AD28D355DF486FA54698AFF453FEF
SHA-256:	307B073C7B8C4FBDE223BD99B0A76D99ED8743DA27208CA59A437F9FE9F4C904
SHA-512:	E2D1BAF4E09DD36842DAFF59D0ACD4B4D94594309D01DA653095557850C47FE75E7844078C146D7489A1A3B8966A1E39C41A943285BC4E7CC9134D2A03E15C4A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....u.L..................".........(."......."...@...........................'......#(......................................."......p#..`............................................................................"..............................text.....".......".................`....rdata........".......".............@..@.data...8d....#..0....".............@....rsrc....b...p#..b....#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Zexter Video Codec\zlib1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	98626
Entropy (8bit):	6.478068795827396
Encrypted:	false
SSDEEP:	1536:HDuZqv5WNPuWOD+QZ7OWN4oOlatKZ2XGnToIfQIOEIOGxpdo4VoWsj:r9P6WN4wyTBfGqGxpdo4VoB
MD5:	70CA53E8B46464CCF956D157501D367A
SHA1:	AE0356FAE59D9C2042270E157EA0D311A831C86A
SHA-256:	4A7AD2198BAACC14EA2FFD803F560F20AAD59C3688A1F8AF2C8375A0D6CC9CFE
SHA-512:	CB1D52778FE95D7593D1FDBE8A1125CD19134973B65E45F1E7D21A6149A058BA2236F4BA90C1CE01B1B0AFAD4084468D1F399E98C1F0D6F234CBA023FCC7B4AE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....='=.x..=......#.........t.....................c.......................................... .................................8...............................0...................................................0................................text...t...........................`.P`.data... ...........................@.0..rdata...M.......N..................@.`@/4......t&...P...(...4..............@.0@.bss..................................`..edata...............\..............@.0@.idata..8............f..............@.0..CRT....,............n..............@.0..tls.... ............p..............@.0..reloc..0............r..............@.0B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99956848961753
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Xzm9fAfKhB.exe
File size:	8'354'805 bytes
MD5:	d9cd9f798cb8012ce2834ac5e21ed371
SHA1:	a6879cd6c787a50e5f0168ecf6caddc4a0b4a822
SHA256:	e91f69194702e3b8568ba1c3db43fd187118e1fdabfb6eaef764feff8057c608
SHA512:	7801fd7206ab7f7f58467308ae97f8503bbeb6f539287debee22cc4c176c24352b43915a23bd197040215a5bad975083261aa5c1ce609dc00e91fe7038d2808e
SSDEEP:	98304:NJ9RE3OlQsmOHm0yhkfgtGmftfPFupSAlZrT4M+d4hBpFSfHG9n+aa51hHusSZoX:X7F/HF+kYtlySAlHVSPf51hHujoFB9HR
TLSH:	A086330161C66FFEDB49FDB8FC64C0186A337E7A4C38A5A97A1CE14EF1375466980638
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x409c40
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F5A98E43D7Bh
call 00007F5A98E44F82h
call 00007F5A98E45211h
call 00007F5A98E47248h
call 00007F5A98E4728Fh
call 00007F5A98E49BBEh
call 00007F5A98E49D25h
xor eax, eax
push ebp
push 0040A2FCh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040A2C5h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007F5A98E4A78Bh
call 00007F5A98E4A3BEh
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F5A98E47878h
mov edx, dword ptr [ebp-10h]
mov eax, 0040CE24h
call 00007F5A98E43E27h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CE24h]
mov dl, 01h
mov eax, 0040738Ch
call 00007F5A98E48107h
mov dword ptr [0040CE28h], eax
xor edx, edx
push ebp
push 0040A27Dh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F5A98E4A7FBh
mov dword ptr [0040CE30h], eax
mov eax, dword ptr [0040CE30h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F5A98E4A93Ah
mov eax, dword ptr [0040CE30h]
mov edx, 00000028h
call 00007F5A98E48508h
mov edx, dword ptr [00000030h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9364	0x9400	2c410dfc3efd04d9b69c35c70921424e	False	0.6147856841216216	data	6.560885192755103	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x24c	0x400	d5ea23d4ecf110fd2591314cbaa84278	False	0.310546875	data	2.7390956346874638	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe88	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	bb5485bf968b970e5ea81292af2acdba	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	9ba824905bf9c7922b6fc87a38b74366	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8b4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2c00	0x2c00	c26e3142a72c7bbf589aa93fdeaa93b0	False	0.3229758522727273	data	4.462274643136113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x12574	0x2f2	data			0.35543766578249336
RT_STRING	0x12868	0x30c	data			0.3871794871794872
RT_STRING	0x12b74	0x2ce	data			0.42618384401114207
RT_STRING	0x12e44	0x68	data			0.75
RT_STRING	0x12eac	0xb4	data			0.6277777777777778
RT_STRING	0x12f60	0xae	data			0.5344827586206896
RT_RCDATA	0x13010	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1307c	0x4b8	COM executable for DOS	English	United States	0.2764900662251656
RT_MANIFEST	0x13534	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T08:40:03.557729+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49719	185.208.158.248	80	TCP
2024-10-03T08:40:03.909597+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49719	185.208.158.248	80	TCP
2024-10-03T08:40:04.779447+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49720	185.208.158.248	80	TCP
2024-10-03T08:40:05.143029+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49720	185.208.158.248	80	TCP
2024-10-03T08:40:05.951562+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49721	185.208.158.248	80	TCP
2024-10-03T08:40:06.298863+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49721	185.208.158.248	80	TCP
2024-10-03T08:40:06.641793+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49721	185.208.158.248	80	TCP
2024-10-03T08:40:08.480326+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49722	185.208.158.248	80	TCP
2024-10-03T08:40:09.298643+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49723	185.208.158.248	80	TCP
2024-10-03T08:40:09.646073+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49723	185.208.158.248	80	TCP
2024-10-03T08:40:10.475796+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49725	185.208.158.248	80	TCP
2024-10-03T08:40:11.291408+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49726	185.208.158.248	80	TCP
2024-10-03T08:40:12.100767+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49727	185.208.158.248	80	TCP
2024-10-03T08:40:13.668740+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49728	185.208.158.248	80	TCP
2024-10-03T08:40:14.021882+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49728	185.208.158.248	80	TCP
2024-10-03T08:40:14.854908+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49729	185.208.158.248	80	TCP
2024-10-03T08:40:15.683032+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49730	185.208.158.248	80	TCP
2024-10-03T08:40:16.486986+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49731	185.208.158.248	80	TCP
2024-10-03T08:40:16.829817+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49731	185.208.158.248	80	TCP
2024-10-03T08:40:17.173081+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49731	185.208.158.248	80	TCP
2024-10-03T08:40:18.004594+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49732	185.208.158.248	80	TCP
2024-10-03T08:40:18.836718+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49733	185.208.158.248	80	TCP
2024-10-03T08:40:19.657844+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49734	185.208.158.248	80	TCP
2024-10-03T08:40:20.004208+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49734	185.208.158.248	80	TCP
2024-10-03T08:40:20.809757+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49735	185.208.158.248	80	TCP
2024-10-03T08:40:21.156403+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49735	185.208.158.248	80	TCP
2024-10-03T08:40:21.502908+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49735	185.208.158.248	80	TCP
2024-10-03T08:40:22.341955+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49736	185.208.158.248	80	TCP
2024-10-03T08:40:22.693294+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49736	185.208.158.248	80	TCP
2024-10-03T08:40:23.674627+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49737	185.208.158.248	80	TCP
2024-10-03T08:40:24.482732+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49738	185.208.158.248	80	TCP
2024-10-03T08:40:24.980157+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49738	185.208.158.248	80	TCP
2024-10-03T08:40:25.798356+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49739	185.208.158.248	80	TCP
2024-10-03T08:40:26.606860+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49740	185.208.158.248	80	TCP
2024-10-03T08:40:26.953733+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49740	185.208.158.248	80	TCP
2024-10-03T08:40:27.298083+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49740	185.208.158.248	80	TCP
2024-10-03T08:40:27.641462+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49740	185.208.158.248	80	TCP
2024-10-03T08:40:28.465099+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49741	185.208.158.248	80	TCP
2024-10-03T08:40:30.265711+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49742	185.208.158.248	80	TCP
2024-10-03T08:40:31.104830+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49743	185.208.158.248	80	TCP
2024-10-03T08:40:32.078905+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:32.454570+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:32.798274+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:33.141264+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:33.485451+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:33.834878+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:34.298286+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:34.648536+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49744	185.208.158.248	80	TCP
2024-10-03T08:40:35.454533+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49745	185.208.158.248	80	TCP
2024-10-03T08:40:35.798624+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49745	185.208.158.248	80	TCP
2024-10-03T08:40:36.145125+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49745	185.208.158.248	80	TCP
2024-10-03T08:40:36.957264+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49746	185.208.158.248	80	TCP
2024-10-03T08:40:37.775736+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49748	185.208.158.248	80	TCP
2024-10-03T08:40:38.577743+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49749	185.208.158.248	80	TCP
2024-10-03T08:40:38.922676+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49749	185.208.158.248	80	TCP
2024-10-03T08:40:39.790336+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49750	185.208.158.248	80	TCP
2024-10-03T08:40:40.601299+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49751	185.208.158.248	80	TCP
2024-10-03T08:40:41.422965+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49752	185.208.158.248	80	TCP
2024-10-03T08:40:41.770339+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49752	185.208.158.248	80	TCP
2024-10-03T08:40:42.584993+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49753	185.208.158.248	80	TCP
2024-10-03T08:40:43.426932+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49754	185.208.158.248	80	TCP
2024-10-03T08:40:44.232887+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49755	185.208.158.248	80	TCP
2024-10-03T08:40:44.580361+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49755	185.208.158.248	80	TCP
2024-10-03T08:40:44.974483+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49755	185.208.158.248	80	TCP
2024-10-03T08:40:45.788468+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49756	185.208.158.248	80	TCP
2024-10-03T08:40:46.620773+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49757	185.208.158.248	80	TCP
2024-10-03T08:40:47.429110+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49758	185.208.158.248	80	TCP
2024-10-03T08:40:48.250966+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49759	185.208.158.248	80	TCP
2024-10-03T08:40:48.821744+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49759	185.208.158.248	80	TCP
2024-10-03T08:40:49.636214+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49760	185.208.158.248	80	TCP
2024-10-03T08:40:50.436319+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49761	185.208.158.248	80	TCP
2024-10-03T08:40:50.782549+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49761	185.208.158.248	80	TCP
2024-10-03T08:40:51.125825+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49761	185.208.158.248	80	TCP
2024-10-03T08:40:51.469860+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49761	185.208.158.248	80	TCP
2024-10-03T08:40:52.430506+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49762	185.208.158.248	80	TCP
2024-10-03T08:40:53.235582+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49763	185.208.158.248	80	TCP
2024-10-03T08:40:53.580693+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49763	185.208.158.248	80	TCP
2024-10-03T08:40:53.923676+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49763	185.208.158.248	80	TCP
2024-10-03T08:40:54.270652+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49763	185.208.158.248	80	TCP
2024-10-03T08:40:55.079309+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49764	185.208.158.248	80	TCP
2024-10-03T08:40:55.913022+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49765	185.208.158.248	80	TCP
2024-10-03T08:40:56.727880+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49766	185.208.158.248	80	TCP
2024-10-03T08:40:57.530444+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49767	185.208.158.248	80	TCP
2024-10-03T08:40:58.436463+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49768	185.208.158.248	80	TCP
2024-10-03T08:40:59.085837+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49768	185.208.158.248	80	TCP
2024-10-03T08:40:59.908301+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49769	185.208.158.248	80	TCP
2024-10-03T08:41:00.252946+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49769	185.208.158.248	80	TCP
2024-10-03T08:41:01.124506+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49770	185.208.158.248	80	TCP
2024-10-03T08:41:02.734317+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49771	185.208.158.248	80	TCP
2024-10-03T08:41:03.541913+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49772	185.208.158.248	80	TCP
2024-10-03T08:41:04.363758+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49773	185.208.158.248	80	TCP
2024-10-03T08:41:05.280891+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49774	185.208.158.248	80	TCP
2024-10-03T08:41:07.092124+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49775	185.208.158.248	80	TCP
2024-10-03T08:41:07.959005+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49776	185.208.158.248	80	TCP
2024-10-03T08:41:09.318273+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49777	185.208.158.248	80	TCP
2024-10-03T08:41:10.152657+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49778	185.208.158.248	80	TCP
2024-10-03T08:41:10.994314+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49780	185.208.158.248	80	TCP
2024-10-03T08:41:11.825886+0200	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.6	49781	185.208.158.248	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 08:40:02.628376961 CEST	49719	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:02.863717079 CEST	80	49719	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:02.863802910 CEST	49719	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:02.864634037 CEST	49719	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:02.869415998 CEST	80	49719	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:03.557631016 CEST	80	49719	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:03.557729006 CEST	49719	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:03.674933910 CEST	49719	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:03.679847002 CEST	80	49719	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:03.909456968 CEST	80	49719	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:03.909596920 CEST	49719	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:04.072885036 CEST	49719	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:04.073293924 CEST	49720	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:04.078572989 CEST	80	49720	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:04.078701019 CEST	49720	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:04.079303980 CEST	80	49719	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:04.079369068 CEST	49719	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:04.080270052 CEST	49720	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:04.085675955 CEST	80	49720	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:04.779196978 CEST	80	49720	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:04.779447079 CEST	49720	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:04.898948908 CEST	49720	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:04.903821945 CEST	80	49720	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:05.142782927 CEST	80	49720	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:05.143028975 CEST	49720	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:05.265054941 CEST	49720	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:05.265465021 CEST	49721	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:05.270853043 CEST	80	49720	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:05.270935059 CEST	49720	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:05.271133900 CEST	80	49721	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:05.271202087 CEST	49721	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:05.271353960 CEST	49721	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:05.276333094 CEST	80	49721	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:05.951478958 CEST	80	49721	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:05.951561928 CEST	49721	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:06.062617064 CEST	49721	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:06.067542076 CEST	80	49721	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:06.298695087 CEST	80	49721	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:06.298862934 CEST	49721	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:06.405808926 CEST	49721	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:06.410706043 CEST	80	49721	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:06.641705990 CEST	80	49721	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:06.641793013 CEST	49721	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:06.780739069 CEST	49721	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:06.781013966 CEST	49722	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:06.785868883 CEST	80	49722	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:06.785952091 CEST	49722	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:06.786078930 CEST	49722	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:06.786183119 CEST	80	49721	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:06.786242962 CEST	49721	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:06.790849924 CEST	80	49722	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:08.480254889 CEST	80	49722	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:08.480325937 CEST	49722	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:08.482898951 CEST	80	49722	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:08.482944012 CEST	49722	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:08.484797001 CEST	80	49722	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:08.484837055 CEST	49722	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:08.486469030 CEST	80	49722	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:08.486529112 CEST	49722	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:08.593296051 CEST	49722	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:08.593666077 CEST	49723	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:08.598426104 CEST	80	49722	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:08.598444939 CEST	80	49723	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:08.598484039 CEST	49722	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:08.598814011 CEST	49723	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:08.598814011 CEST	49723	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:08.603586912 CEST	80	49723	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:09.298475981 CEST	80	49723	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:09.298643112 CEST	49723	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:09.405997038 CEST	49723	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:09.410953999 CEST	80	49723	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:09.645940065 CEST	80	49723	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:09.646073103 CEST	49723	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:09.767061949 CEST	49723	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:09.771287918 CEST	49725	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:09.772119999 CEST	80	49723	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:09.772173882 CEST	49723	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:09.776091099 CEST	80	49725	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:09.776170969 CEST	49725	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:09.776340008 CEST	49725	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:09.781088114 CEST	80	49725	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:10.475730896 CEST	80	49725	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:10.475795984 CEST	49725	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:10.593249083 CEST	49725	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:10.593615055 CEST	49726	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:10.598491907 CEST	80	49725	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:10.598507881 CEST	80	49726	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:10.598593950 CEST	49725	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:10.598648071 CEST	49726	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:10.598853111 CEST	49726	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:10.603899002 CEST	80	49726	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:11.291286945 CEST	80	49726	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:11.291408062 CEST	49726	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:11.406327963 CEST	49726	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:11.406771898 CEST	49727	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:11.411674976 CEST	80	49727	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:11.411758900 CEST	80	49726	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:11.411808014 CEST	49727	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:11.411812067 CEST	49726	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:11.412262917 CEST	49727	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:11.417156935 CEST	80	49727	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:12.100610018 CEST	80	49727	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:12.100766897 CEST	49727	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:12.218810081 CEST	49727	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:12.219238043 CEST	49728	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:12.224129915 CEST	80	49727	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:12.224148989 CEST	80	49728	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:12.224241972 CEST	49728	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:12.224324942 CEST	49727	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:12.224473000 CEST	49728	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:12.229322910 CEST	80	49728	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:13.668549061 CEST	80	49728	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:13.668603897 CEST	80	49728	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:13.668740034 CEST	49728	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:13.668740034 CEST	49728	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:13.668791056 CEST	80	49728	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:13.669023037 CEST	49728	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:13.780925989 CEST	49728	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:13.785836935 CEST	80	49728	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:14.021795034 CEST	80	49728	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:14.021882057 CEST	49728	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.140773058 CEST	49728	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.141207933 CEST	49729	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.146133900 CEST	80	49728	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:14.146190882 CEST	49728	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.146445036 CEST	80	49729	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:14.146517992 CEST	49729	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.146637917 CEST	49729	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.151376963 CEST	80	49729	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:14.854753971 CEST	80	49729	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:14.854907990 CEST	49729	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.968286037 CEST	49729	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.968734026 CEST	49730	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.973515987 CEST	80	49730	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:14.973535061 CEST	80	49729	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:14.973618984 CEST	49730	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.973649025 CEST	49729	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.973823071 CEST	49730	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:14.978569984 CEST	80	49730	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:15.682823896 CEST	80	49730	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:15.683032036 CEST	49730	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:15.800786018 CEST	49730	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:15.801270008 CEST	49731	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:15.806022882 CEST	80	49730	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:15.806071043 CEST	80	49731	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:15.806102037 CEST	49730	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:15.806174040 CEST	49731	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:15.806411982 CEST	49731	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:15.811233044 CEST	80	49731	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:16.486926079 CEST	80	49731	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:16.486985922 CEST	49731	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:16.594657898 CEST	49731	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:16.599570990 CEST	80	49731	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:16.829636097 CEST	80	49731	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:16.829817057 CEST	49731	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:16.937657118 CEST	49731	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:16.942634106 CEST	80	49731	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:17.172575951 CEST	80	49731	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:17.173080921 CEST	49731	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:17.301034927 CEST	49732	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:17.301075935 CEST	49731	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:17.306081057 CEST	80	49732	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:17.306216002 CEST	49732	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:17.306821108 CEST	49732	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:17.310920954 CEST	80	49731	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:17.311005116 CEST	49731	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:17.311939955 CEST	80	49732	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:18.004415035 CEST	80	49732	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:18.004594088 CEST	49732	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.124488115 CEST	49732	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.125086069 CEST	49733	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.129632950 CEST	80	49732	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:18.129765034 CEST	49732	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.129857063 CEST	80	49733	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:18.129940987 CEST	49733	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.130326033 CEST	49733	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.135072947 CEST	80	49733	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:18.836652040 CEST	80	49733	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:18.836718082 CEST	49733	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.952739000 CEST	49733	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.953123093 CEST	49734	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.958053112 CEST	80	49733	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:18.958067894 CEST	80	49734	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:18.958174944 CEST	49733	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.958216906 CEST	49734	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.958450079 CEST	49734	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:18.963246107 CEST	80	49734	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:19.657707930 CEST	80	49734	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:19.657844067 CEST	49734	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:19.765295982 CEST	49734	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:19.770184040 CEST	80	49734	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:20.004149914 CEST	80	49734	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:20.004208088 CEST	49734	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:20.124816895 CEST	49734	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:20.125233889 CEST	49735	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:20.129893064 CEST	80	49734	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:20.129972935 CEST	49734	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:20.130028009 CEST	80	49735	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:20.130106926 CEST	49735	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:20.130224943 CEST	49735	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:20.135042906 CEST	80	49735	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:20.809381008 CEST	80	49735	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:20.809756994 CEST	49735	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:20.921127081 CEST	49735	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:20.926225901 CEST	80	49735	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:21.156325102 CEST	80	49735	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:21.156403065 CEST	49735	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:21.267410040 CEST	49735	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:21.272597075 CEST	80	49735	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:21.502697945 CEST	80	49735	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:21.502907991 CEST	49735	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:21.624806881 CEST	49735	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:21.625102997 CEST	49736	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:21.629951954 CEST	80	49736	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:21.630088091 CEST	80	49735	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:21.630333900 CEST	49736	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:21.630362034 CEST	49735	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:21.630506039 CEST	49736	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:21.635240078 CEST	80	49736	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:22.341828108 CEST	80	49736	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:22.341954947 CEST	49736	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:22.452673912 CEST	49736	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:22.457597971 CEST	80	49736	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:22.693164110 CEST	80	49736	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:22.693294048 CEST	49736	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:22.812444925 CEST	49736	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:22.812768936 CEST	49737	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:22.986002922 CEST	80	49737	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:22.986095905 CEST	49737	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:22.986327887 CEST	49737	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:22.987173080 CEST	80	49736	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:22.987270117 CEST	49736	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:22.991309881 CEST	80	49737	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:23.674521923 CEST	80	49737	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:23.674627066 CEST	49737	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:23.797009945 CEST	49737	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:23.797396898 CEST	49738	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:23.802454948 CEST	80	49738	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:23.802474976 CEST	80	49737	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:23.802697897 CEST	49737	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:23.802697897 CEST	49738	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:23.802931070 CEST	49738	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:23.807743073 CEST	80	49738	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:24.482613087 CEST	80	49738	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:24.482732058 CEST	49738	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:24.594302893 CEST	49738	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:24.749682903 CEST	80	49738	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:24.979993105 CEST	80	49738	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:24.980156898 CEST	49738	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.093549013 CEST	49738	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.094012022 CEST	49739	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.098805904 CEST	80	49739	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:25.098943949 CEST	49739	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.099147081 CEST	49739	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.099266052 CEST	80	49738	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:25.099328995 CEST	49738	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.103903055 CEST	80	49739	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:25.798125982 CEST	80	49739	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:25.798356056 CEST	49739	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.921396017 CEST	49739	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.921791077 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.926620007 CEST	80	49739	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:25.926681042 CEST	80	49740	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:25.926709890 CEST	49739	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.926759958 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.926884890 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:25.931752920 CEST	80	49740	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:26.606780052 CEST	80	49740	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:26.606859922 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:26.718776941 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:26.723635912 CEST	80	49740	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:26.953551054 CEST	80	49740	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:26.953732967 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:27.063043118 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:27.067967892 CEST	80	49740	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:27.297996044 CEST	80	49740	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:27.298083067 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:27.406148911 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:27.411163092 CEST	80	49740	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:27.641269922 CEST	80	49740	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:27.641462088 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:27.766570091 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:27.767507076 CEST	49741	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:27.772195101 CEST	80	49740	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:27.772332907 CEST	49740	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:27.772802114 CEST	80	49741	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:27.772939920 CEST	49741	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:27.773305893 CEST	49741	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:27.778604031 CEST	80	49741	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:28.464914083 CEST	80	49741	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:28.465099096 CEST	49741	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:28.579166889 CEST	49741	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:28.579565048 CEST	49742	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:28.887681961 CEST	49741	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:29.497061968 CEST	49741	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:29.574079990 CEST	80	49742	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:29.574095011 CEST	80	49741	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:29.574109077 CEST	80	49741	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:29.574122906 CEST	80	49741	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:29.574307919 CEST	49741	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:29.574685097 CEST	49742	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:29.574685097 CEST	49742	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:29.580543041 CEST	80	49742	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:30.265495062 CEST	80	49742	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:30.265711069 CEST	49742	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:30.390505075 CEST	49742	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:30.390849113 CEST	49743	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:30.396399975 CEST	80	49743	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:30.396503925 CEST	49743	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:30.396600008 CEST	49743	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:30.397593975 CEST	80	49742	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:30.397663116 CEST	49742	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:30.401535034 CEST	80	49743	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:31.104674101 CEST	80	49743	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:31.104830027 CEST	49743	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:31.389230013 CEST	49743	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:31.392785072 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:31.394659042 CEST	80	49743	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:31.394828081 CEST	49743	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:31.397717953 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:31.397788048 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:31.399708033 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:31.404534101 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:32.078743935 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:32.078905106 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:32.219335079 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:32.224832058 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:32.454421997 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:32.454570055 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:32.562935114 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:32.568295002 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:32.798055887 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:32.798274040 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:32.906284094 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:32.911211014 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:33.141210079 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:33.141263962 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:33.250504017 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:33.255604029 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:33.485387087 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:33.485450983 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:33.599545956 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:33.604491949 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:33.834593058 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:33.834877968 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:34.063133001 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:34.068188906 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:34.298094988 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:34.298285961 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:34.406945944 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:34.412028074 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:34.648475885 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:34.648535967 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:34.767955065 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:34.768330097 CEST	49745	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:34.773308039 CEST	80	49744	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:34.773400068 CEST	49744	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:34.773410082 CEST	80	49745	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:34.773619890 CEST	49745	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:34.773619890 CEST	49745	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:34.778426886 CEST	80	49745	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:35.454287052 CEST	80	49745	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:35.454533100 CEST	49745	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:35.562244892 CEST	49745	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:35.567157984 CEST	80	49745	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:35.797399998 CEST	80	49745	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:35.798624039 CEST	49745	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:35.907480001 CEST	49745	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:35.913719893 CEST	80	49745	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:36.144242048 CEST	80	49745	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:36.145124912 CEST	49745	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:36.266062021 CEST	49745	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:36.266995907 CEST	49746	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:36.271444082 CEST	80	49745	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:36.271783113 CEST	80	49746	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:36.273219109 CEST	49745	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:36.273219109 CEST	49746	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:36.273219109 CEST	49746	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:36.279200077 CEST	80	49746	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:36.957178116 CEST	80	49746	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:36.957263947 CEST	49746	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.081142902 CEST	49746	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.081489086 CEST	49748	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.086402893 CEST	80	49748	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:37.086481094 CEST	49748	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.086533070 CEST	80	49746	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:37.086584091 CEST	49746	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.086796045 CEST	49748	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.091820002 CEST	80	49748	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:37.775580883 CEST	80	49748	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:37.775736094 CEST	49748	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.891371012 CEST	49748	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.891777992 CEST	49749	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.896631002 CEST	80	49749	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:37.896656990 CEST	80	49748	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:37.896847963 CEST	49748	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.897097111 CEST	49749	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.897097111 CEST	49749	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:37.901983023 CEST	80	49749	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:38.577610970 CEST	80	49749	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:38.577743053 CEST	49749	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:38.687458992 CEST	49749	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:38.692293882 CEST	80	49749	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:38.922528028 CEST	80	49749	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:38.922676086 CEST	49749	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.046519995 CEST	49749	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.046835899 CEST	49750	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.051675081 CEST	80	49750	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:39.051759005 CEST	80	49749	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:39.051857948 CEST	49749	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.052006960 CEST	49750	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.052006960 CEST	49750	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.056782961 CEST	80	49750	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:39.790052891 CEST	80	49750	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:39.790335894 CEST	49750	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.906405926 CEST	49750	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.906800985 CEST	49751	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.911686897 CEST	80	49751	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:39.911757946 CEST	80	49750	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:39.911793947 CEST	49751	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.911896944 CEST	49750	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.912134886 CEST	49751	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:39.917011023 CEST	80	49751	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:40.601171970 CEST	80	49751	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:40.601299047 CEST	49751	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:40.718647957 CEST	49751	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:40.719034910 CEST	49752	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:40.723872900 CEST	80	49751	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:40.723908901 CEST	80	49752	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:40.723963022 CEST	49751	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:40.724018097 CEST	49752	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:40.724133015 CEST	49752	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:40.728905916 CEST	80	49752	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:41.422849894 CEST	80	49752	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:41.422965050 CEST	49752	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:41.531342030 CEST	49752	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:41.536360979 CEST	80	49752	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:41.770196915 CEST	80	49752	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:41.770339012 CEST	49752	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:41.890860081 CEST	49752	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:41.891145945 CEST	49753	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:41.896006107 CEST	80	49753	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:41.896042109 CEST	80	49752	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:41.896158934 CEST	49752	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:41.896423101 CEST	49753	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:41.896423101 CEST	49753	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:41.901185036 CEST	80	49753	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:42.584836006 CEST	80	49753	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:42.584992886 CEST	49753	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:42.721718073 CEST	49753	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:42.722088099 CEST	49754	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:42.727777004 CEST	80	49754	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:42.727822065 CEST	80	49753	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:42.728050947 CEST	49753	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:42.728072882 CEST	49754	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:42.728334904 CEST	49754	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:42.733854055 CEST	80	49754	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:43.426830053 CEST	80	49754	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:43.426932096 CEST	49754	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:43.547018051 CEST	49754	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:43.547648907 CEST	49755	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:43.552314997 CEST	80	49754	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:43.552402973 CEST	49754	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:43.552701950 CEST	80	49755	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:43.552781105 CEST	49755	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:43.552997112 CEST	49755	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:43.558027029 CEST	80	49755	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:44.232821941 CEST	80	49755	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:44.232887030 CEST	49755	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:44.345263004 CEST	49755	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:44.350347996 CEST	80	49755	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:44.580113888 CEST	80	49755	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:44.580360889 CEST	49755	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:44.687431097 CEST	49755	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:44.692295074 CEST	80	49755	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:44.974201918 CEST	80	49755	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:44.974483013 CEST	49755	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.094227076 CEST	49755	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.094585896 CEST	49756	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.099881887 CEST	80	49756	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:45.100100040 CEST	80	49755	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:45.100189924 CEST	49755	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.100343943 CEST	49756	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.100343943 CEST	49756	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.107074976 CEST	80	49756	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:45.788096905 CEST	80	49756	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:45.788467884 CEST	49756	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.906172037 CEST	49756	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.906636953 CEST	49757	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.911565065 CEST	80	49757	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:45.911608934 CEST	80	49756	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:45.911760092 CEST	49756	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.911847115 CEST	49757	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.912000895 CEST	49757	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:45.916764975 CEST	80	49757	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:46.620382071 CEST	80	49757	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:46.620773077 CEST	49757	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:46.734771013 CEST	49757	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:46.735063076 CEST	49758	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:46.740051031 CEST	80	49758	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:46.740148067 CEST	49758	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:46.740303993 CEST	80	49757	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:46.740361929 CEST	49757	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:46.740458965 CEST	49758	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:46.745251894 CEST	80	49758	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:47.428903103 CEST	80	49758	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:47.429110050 CEST	49758	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:47.546802044 CEST	49758	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:47.547175884 CEST	49759	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:47.552208900 CEST	80	49759	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:47.552252054 CEST	80	49758	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:47.552340031 CEST	49759	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:47.552376032 CEST	49758	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:47.552508116 CEST	49759	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:47.557295084 CEST	80	49759	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:48.250814915 CEST	80	49759	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:48.250966072 CEST	49759	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:48.359740973 CEST	49759	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:48.364517927 CEST	80	49759	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:48.821665049 CEST	80	49759	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:48.821743965 CEST	49759	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:48.821926117 CEST	80	49759	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:48.821974039 CEST	49759	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:48.937870979 CEST	49759	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:48.938328028 CEST	49760	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:48.943314075 CEST	80	49760	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:48.943358898 CEST	80	49759	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:48.943449020 CEST	49760	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:48.943494081 CEST	49759	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:48.943679094 CEST	49760	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:48.948503971 CEST	80	49760	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:49.635982037 CEST	80	49760	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:49.636214018 CEST	49760	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:49.750022888 CEST	49760	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:49.750267982 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:49.755183935 CEST	80	49761	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:49.755337000 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:49.755462885 CEST	80	49760	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:49.755522966 CEST	49760	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:49.755646944 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:49.760457993 CEST	80	49761	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:50.436171055 CEST	80	49761	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:50.436319113 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:50.547101974 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:50.552094936 CEST	80	49761	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:50.782444954 CEST	80	49761	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:50.782548904 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:50.890703917 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:50.895802975 CEST	80	49761	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:51.125736952 CEST	80	49761	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:51.125824928 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:51.234190941 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:51.239197016 CEST	80	49761	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:51.469795942 CEST	80	49761	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:51.469860077 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:51.597198963 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:51.597682953 CEST	49762	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:51.603497982 CEST	80	49761	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:51.603516102 CEST	80	49762	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:51.603646040 CEST	49761	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:51.603692055 CEST	49762	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:51.603843927 CEST	49762	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:51.608745098 CEST	80	49762	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:52.430360079 CEST	80	49762	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:52.430505991 CEST	49762	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:52.547820091 CEST	49762	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:52.548346043 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:52.552890062 CEST	80	49762	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:52.553185940 CEST	80	49763	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:52.553296089 CEST	49762	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:52.553354025 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:52.553674936 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:52.558453083 CEST	80	49763	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:53.235363960 CEST	80	49763	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:53.235582113 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:53.344419003 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:53.349559069 CEST	80	49763	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:53.580605030 CEST	80	49763	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:53.580693007 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:53.687880993 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:53.692852020 CEST	80	49763	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:53.923546076 CEST	80	49763	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:53.923676014 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:54.033719063 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:54.040035009 CEST	80	49763	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:54.270473957 CEST	80	49763	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:54.270652056 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:54.390762091 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:54.391129017 CEST	49764	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:54.395958900 CEST	80	49763	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:54.396096945 CEST	49763	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:54.396199942 CEST	80	49764	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:54.396286964 CEST	49764	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:54.396403074 CEST	49764	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:54.401384115 CEST	80	49764	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:55.079179049 CEST	80	49764	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:55.079308987 CEST	49764	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:55.218791962 CEST	49764	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:55.219211102 CEST	49765	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:55.224056005 CEST	80	49764	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:55.224128008 CEST	80	49765	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:55.224153996 CEST	49764	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:55.224215984 CEST	49765	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:55.224386930 CEST	49765	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:55.229209900 CEST	80	49765	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:55.912945032 CEST	80	49765	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:55.913022041 CEST	49765	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.031572104 CEST	49765	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.031851053 CEST	49766	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.036993980 CEST	80	49766	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:56.037029982 CEST	80	49765	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:56.037141085 CEST	49766	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.037183046 CEST	49765	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.037364960 CEST	49766	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.042285919 CEST	80	49766	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:56.727710962 CEST	80	49766	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:56.727880001 CEST	49766	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.843801975 CEST	49766	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.844208002 CEST	49767	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.849104881 CEST	80	49766	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:56.849139929 CEST	80	49767	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:56.849219084 CEST	49766	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.849287987 CEST	49767	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.849489927 CEST	49767	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:56.854295969 CEST	80	49767	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:57.530292034 CEST	80	49767	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:57.530443907 CEST	49767	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:57.746351004 CEST	49767	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:57.746870995 CEST	49768	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:57.751825094 CEST	80	49768	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:57.751910925 CEST	49768	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:57.752073050 CEST	80	49767	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:57.752083063 CEST	49768	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:57.752136946 CEST	49767	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:57.756921053 CEST	80	49768	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:58.436193943 CEST	80	49768	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:58.436463118 CEST	49768	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:58.547574043 CEST	49768	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:58.552903891 CEST	80	49768	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:59.085712910 CEST	80	49768	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:59.085836887 CEST	49768	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:59.087635994 CEST	80	49768	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:59.087692022 CEST	49768	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:59.204000950 CEST	49768	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:59.204261065 CEST	49769	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:59.211615086 CEST	80	49769	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:59.211661100 CEST	80	49768	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:59.211745024 CEST	49769	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:59.211810112 CEST	49768	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:59.211988926 CEST	49769	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:40:59.217169046 CEST	80	49769	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:59.908010006 CEST	80	49769	185.208.158.248	192.168.2.6
Oct 3, 2024 08:40:59.908301115 CEST	49769	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:00.015861988 CEST	49769	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:00.021828890 CEST	80	49769	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:00.252676010 CEST	80	49769	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:00.252945900 CEST	49769	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:00.375356913 CEST	49769	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:00.375801086 CEST	49770	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:00.403017998 CEST	80	49770	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:00.403283119 CEST	49770	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:00.403549910 CEST	49770	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:00.404386044 CEST	80	49769	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:00.404489040 CEST	49769	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:00.433726072 CEST	80	49770	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:01.124316931 CEST	80	49770	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:01.124505997 CEST	49770	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:01.234631062 CEST	49770	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:01.235161066 CEST	49771	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:01.544380903 CEST	49770	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:01.898236990 CEST	80	49771	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:01.898252964 CEST	80	49770	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:01.898266077 CEST	80	49770	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:01.898343086 CEST	49771	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:01.898365974 CEST	49770	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:01.898866892 CEST	49771	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:01.909265041 CEST	80	49771	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:02.734208107 CEST	80	49771	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:02.734317064 CEST	49771	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:02.844472885 CEST	49771	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:02.844882965 CEST	49772	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:02.850883961 CEST	80	49771	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:02.850955963 CEST	80	49772	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:02.851007938 CEST	49771	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:02.851058006 CEST	49772	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:02.851217985 CEST	49772	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:02.857237101 CEST	80	49772	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:03.541661024 CEST	80	49772	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:03.541913033 CEST	49772	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:03.656825066 CEST	49772	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:03.657207012 CEST	49773	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:03.662188053 CEST	80	49773	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:03.662240028 CEST	80	49772	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:03.662288904 CEST	49773	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:03.662338972 CEST	49772	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:03.662544012 CEST	49773	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:03.667560101 CEST	80	49773	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:04.363653898 CEST	80	49773	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:04.363758087 CEST	49773	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:04.515959024 CEST	49773	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:04.516375065 CEST	49774	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:04.521409035 CEST	80	49773	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:04.521506071 CEST	49773	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:04.521655083 CEST	80	49774	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:04.521728992 CEST	49774	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:04.521970034 CEST	49774	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:04.527009964 CEST	80	49774	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:05.280806065 CEST	80	49774	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:05.280890942 CEST	49774	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:05.396667957 CEST	49774	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:05.397131920 CEST	49775	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:05.411843061 CEST	80	49775	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:05.411916971 CEST	49775	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:05.414280891 CEST	49775	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:05.416812897 CEST	80	49774	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:05.416873932 CEST	49774	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:05.653719902 CEST	49775	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:05.676556110 CEST	80	49774	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:05.676619053 CEST	49774	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:05.678802013 CEST	80	49775	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:05.678966045 CEST	80	49775	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:05.681850910 CEST	80	49774	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:07.091998100 CEST	80	49775	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:07.092123985 CEST	49775	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:07.221160889 CEST	49775	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:07.221613884 CEST	49776	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:07.226814032 CEST	80	49776	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:07.226973057 CEST	49776	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:07.227001905 CEST	80	49775	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:07.227062941 CEST	49775	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:07.227294922 CEST	49776	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:07.232395887 CEST	80	49776	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:07.958908081 CEST	80	49776	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:07.959005117 CEST	49776	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:08.081571102 CEST	49777	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:08.081748962 CEST	49776	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:08.086935043 CEST	80	49777	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:08.087008953 CEST	49777	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:08.087143898 CEST	49777	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:08.087579012 CEST	80	49776	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:08.087629080 CEST	49776	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:08.095213890 CEST	80	49777	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:09.318182945 CEST	80	49777	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:09.318273067 CEST	49777	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:09.319293976 CEST	80	49777	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:09.319380045 CEST	49777	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:09.441019058 CEST	49777	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:09.445813894 CEST	49778	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:09.447803974 CEST	80	49777	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:09.448879004 CEST	49777	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:09.450723886 CEST	80	49778	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:09.450923920 CEST	49778	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:09.451809883 CEST	49778	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:09.457557917 CEST	80	49778	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:10.152586937 CEST	80	49778	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:10.152657032 CEST	49778	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:10.270255089 CEST	49778	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:10.270916939 CEST	49780	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:10.275661945 CEST	80	49778	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:10.275878906 CEST	49778	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:10.275985003 CEST	80	49780	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:10.276135921 CEST	49780	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:10.276777983 CEST	49780	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:10.281650066 CEST	80	49780	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:10.994122982 CEST	80	49780	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:10.994313955 CEST	49780	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:11.111788988 CEST	49780	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:11.112235069 CEST	49781	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:11.118211031 CEST	80	49780	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:11.118282080 CEST	80	49781	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:11.118333101 CEST	49780	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:11.119035006 CEST	49781	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:11.119076967 CEST	49781	80	192.168.2.6	185.208.158.248
Oct 3, 2024 08:41:11.128696918 CEST	80	49781	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:11.825767040 CEST	80	49781	185.208.158.248	192.168.2.6
Oct 3, 2024 08:41:11.825886011 CEST	49781	80	192.168.2.6	185.208.158.248

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 08:40:01.849875927 CEST	53742	53	192.168.2.6	141.98.234.31
Oct 3, 2024 08:40:02.090013981 CEST	53	53742	141.98.234.31	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 08:40:01.849875927 CEST	192.168.2.6	141.98.234.31	0x733f	Standard query (0)	ebirbqi.ua	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 08:40:02.090013981 CEST	141.98.234.31	192.168.2.6	0x733f	No error (0)	ebirbqi.ua		185.208.158.248	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ebirbqi.ua

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49719	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:02.864634037 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:03.557631016 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:03.674933910 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:03.909456968 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49720	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:04.080270052 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:04.779196978 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:04.898948908 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:05.142782927 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49721	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:05.271353960 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:05.951478958 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:06.062617064 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:06.298695087 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:06.405808926 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:06.641705990 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49722	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:06.786078930 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:08.480254889 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:08.482898951 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:08.484797001 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:08.486469030 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49723	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:08.598814011 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:09.298475981 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:09.405997038 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:09.645940065 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49725	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:09.776340008 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:10.475730896 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49726	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:10.598853111 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:11.291286945 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49727	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:11.412262917 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:12.100610018 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49728	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:12.224473000 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:13.668549061 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:13.668603897 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:13.668791056 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:13.780925989 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:14.021795034 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49729	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:14.146637917 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:14.854753971 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49730	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:14.973823071 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:15.682823896 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49731	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:15.806411982 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:16.486926079 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:16.594657898 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:16.829636097 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:16.937657118 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:17.172575951 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49732	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:17.306821108 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:18.004415035 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49733	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:18.130326033 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:18.836652040 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49734	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:18.958450079 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:19.657707930 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:19.765295982 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:20.004149914 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49735	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:20.130224943 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:20.809381008 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:20.921127081 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:21.156325102 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:21.267410040 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:21.502697945 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49736	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:21.630506039 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:22.341828108 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:22.452673912 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:22.693164110 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49737	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:22.986327887 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:23.674521923 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49738	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:23.802931070 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:24.482613087 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:24.594302893 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:24.979993105 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49739	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:25.099147081 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:25.798125982 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49740	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:25.926884890 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:26.606780052 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:26.718776941 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:26.953551054 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:27.063043118 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:27.297996044 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:27.406148911 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:27.641269922 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49741	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:27.773305893 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:28.464914083 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49742	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:29.574685097 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:30.265495062 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49743	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:30.396600008 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:31.104674101 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49744	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:31.399708033 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:32.078743935 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:32.219335079 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:32.454421997 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:32.562935114 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:32.798055887 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:32.906284094 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:33.141210079 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:33.250504017 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:33.485387087 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:33.599545956 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:33.834593058 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:34.063133001 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:34.298094988 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:34.406945944 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:34.648475885 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49745	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:34.773619890 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:35.454287052 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:35.562244892 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:35.797399998 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:35.907480001 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:36.144242048 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49746	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:36.273219109 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:36.957178116 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49748	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:37.086796045 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:37.775580883 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49749	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:37.897097111 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:38.577610970 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:38.687458992 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:38.922528028 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49750	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:39.052006960 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:39.790052891 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49751	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:39.912134886 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:40.601171970 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	49752	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:40.724133015 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:41.422849894 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:41.531342030 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:41.770196915 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	49753	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:41.896423101 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:42.584836006 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	49754	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:42.728334904 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:43.426830053 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	49755	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:43.552997112 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:44.232821941 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:44.345263004 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:44.580113888 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:44.687431097 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:44.974201918 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	49756	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:45.100343943 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:45.788096905 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	49757	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:45.912000895 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:46.620382071 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	49758	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:46.740458965 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:47.428903103 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	49759	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:47.552508116 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:48.250814915 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:48.359740973 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:48.821665049 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:48.821926117 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	49760	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:48.943679094 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:49.635982037 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	49761	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:49.755646944 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:50.436171055 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:50.547101974 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:50.782444954 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:50.890703917 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:51.125736952 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:51.234190941 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:51.469795942 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	49762	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:51.603843927 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:52.430360079 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	49763	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:52.553674936 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:53.235363960 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:53.344419003 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:53.580605030 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:53.687880993 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:53.923546076 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:54.033719063 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:54.270473957 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	49764	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:54.396403074 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:55.079179049 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	49765	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:55.224386930 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:55.912945032 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	49766	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:56.037364960 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:56.727710962 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	49767	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:56.849489927 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:57.530292034 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	49768	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:57.752083063 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:58.436193943 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:58.547574043 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:59.085712910 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:40:59.087635994 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	49769	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:40:59.211988926 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:40:59.908010006 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:40:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:41:00.015861988 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:00.252676010 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	49770	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:00.403549910 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:01.124316931 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.6	49771	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:01.898866892 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:02.734208107 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.6	49772	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:02.851217985 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:03.541661024 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.6	49773	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:03.662544012 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:04.363653898 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.6	49774	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:04.521970034 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:05.280806065 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.6	49775	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:05.414280891 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:05.653719902 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:07.091998100 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.6	49776	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:07.227294922 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:07.958908081 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.6	49777	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:08.087143898 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:09.318182945 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Oct 3, 2024 08:41:09.319293976 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.6	49778	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:09.451809883 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:10.152586937 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.6	49780	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:10.276777983 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:10.994122982 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.6	49781	185.208.158.248	80	6236	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 08:41:11.119076967 CEST	313	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c445db22f31df92d8838ed12a666d307eca743ec4c2b07b5296692396087fc16c6ef9d HTTP/1.1 Host: ebirbqi.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Oct 3, 2024 08:41:11.825767040 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 03 Oct 2024 06:41:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Target ID:	0
Start time:	02:39:05
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\Xzm9fAfKhB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Xzm9fAfKhB.exe"
Imagebase:	0x400000
File size:	8'354'805 bytes
MD5 hash:	D9CD9F798CB8012CE2834AC5E21ED371
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	02:39:05
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp" /SL5="$203DC,8066431,54272,C:\Users\user\Desktop\Xzm9fAfKhB.exe"
Imagebase:	0x400000
File size:	709'120 bytes
MD5 hash:	16C9D19AB32C18671706CEFEE19B6949
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:39:08
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe" -i
Imagebase:	0x400000
File size:	2'586'624 bytes
MD5 hash:	96504F6C70AD91FDC3D32BF7C3FA2696
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3386241526.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	1498
Total number of Limit Nodes:	22

Executed Functions

Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 00409B42
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669

Function 004051FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE

Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6

Strings

SetSearchPathMode, xrefs: 0040459F
kernel32.dll, xrefs: 0040457D
SetProcessDEPPolicy, xrefs: 004045B5
SetDllDirectoryW, xrefs: 00404589

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 0040A0F4

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,021515A8), ref: 0040966C

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
SetWindowLongA.USER32(000203DC,000000FC,00409918), ref: 0040A148
RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
73EA5CF0.USER32(000203DC,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248

Strings

STATIC, xrefs: 0040A12A
InnoSetupLdrWindow, xrefs: 0040A125
/SL5="$%x,%d,%d,, xrefs: 0040A188

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLastWindow$CreateDirectoryLongRemove
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3341979996-3001827809
Opcode ID: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
Instruction ID: a1ec2b29f79e5ff862fc4fad7e4f310b8339f10a1453332cc6b7faa73b6a426b
Opcode Fuzzy Hash: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
Instruction Fuzzy Hash: C2411F71600205DFD710EBA9EE8AB9977A4EB45304F10467EF514B73E2CBB8A811CB9D

Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4

Strings

shell32.dll, xrefs: 00409110
Wow64RevertWow64FsRedirection, xrefs: 004090D4
Wow64DisableWow64FsRedirection, xrefs: 004090BA
kernel32.dll, xrefs: 004090BF, 004090D9

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
Instruction ID: 4a4222b704d734fa8d0781b40c04fe9f9c76e7b4f133337d95099c0c8a01123f
Opcode Fuzzy Hash: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
Instruction Fuzzy Hash: 20017170748342AEFB00BB72DD4AB163A68E785704F50457BF5407A2D3DABD4C04DA6D

Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
SetWindowLongA.USER32(000203DC,000000FC,00409918), ref: 0040A148

Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94

Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021515A8,00409A90,00000000,00409A77), ref: 00409A14
Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021515A8,00409A90,00000000), ref: 00409A28
Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021515A8,00409A90), ref: 00409A5C

RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
73EA5CF0.USER32(000203DC,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248

Strings

STATIC, xrefs: 0040A12A
InnoSetupLdrWindow, xrefs: 0040A125
/SL5="$%x,%d,%d,, xrefs: 0040A188

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 978128352-3001827809
Opcode ID: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
Instruction ID: f39d198f6ca78f9e57da3cbf677d536b45cc778db879de651171db1d1b5627bc
Opcode Fuzzy Hash: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
Instruction Fuzzy Hash: 07411A71604204DFD714EBA9EE86B5A77A4EB49304F10427EE514B73E1CBB8A810CB9D

Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021515A8,00409A90,00000000,00409A77), ref: 00409A14
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021515A8,00409A90,00000000), ref: 00409A28
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,021515A8,00409A90), ref: 00409A5C

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,021515A8), ref: 0040966C

Strings

D, xrefs: 004099EE

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
Instruction ID: 6ea97129cf5aa135a7f7046e3a99eae43c862e8aca722617c6144c18eae127a8
Opcode Fuzzy Hash: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
Instruction Fuzzy Hash: 3A1142B17442486EDB10EBE68C42FAEB7ACEF49714F50017BB604F72C2DA785D048A69

Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB

Strings

.tmp, xrefs: 00409EF1
y@, xrefs: 00409FB4

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
Instruction ID: eba11cc0b212557bcf85e4c41764595d0d3f2f842990b0293eb01d0c1562b25b
Opcode Fuzzy Hash: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
Instruction Fuzzy Hash: 9841BD30600200DFC711EF25DE96A5A77A5EB49304B50463AF804B73E2CBB9AC05CBED

Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB

Strings

.tmp, xrefs: 00409EF1
y@, xrefs: 00409FB4

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
Instruction ID: fef9de22095f7e51d457e3baefdda2d393bbfb66a144e2f6f14d312cbfdc2d61
Opcode Fuzzy Hash: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
Instruction Fuzzy Hash: 3A418D70610204DFC711EF25DED6A5A77A5EB49308B50463AF804B73E2CBB9AC05CBAD

Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F

Strings

.tmp, xrefs: 0040935F

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
Instruction ID: a1094b0e4056d8a2da25745c6e48f9a4b2523a9a3c4edc503687ab74cbc79d39
Opcode Fuzzy Hash: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
Instruction Fuzzy Hash: 3A213674A002099BDB05FFA1C9429DEB7B9EF48304F50457BE901B73C2DA7C9E059AA5

Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B

Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008000), ref: 00406FAA
LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568

Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021403AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB

Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021403AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9

Function 00405270 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F

Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9

Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98

Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8

Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8

Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428

Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021403AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676

Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F

Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,02164000,0040A08C,00000000), ref: 004076B3

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021403AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666

Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519

Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B

Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction Fuzzy Hash:

Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8

Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00407558

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D

Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

Non-executed Functions

Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00409457
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3

Strings

SeShutdownPrivilege, xrefs: 0040946F

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F

Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E

Function 00405248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748

Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A

Function 0040840C Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55

Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1

Strings

Locale, xrefs: 00407090
.DEFAULT\Control Panel\International, xrefs: 00407078
Control Panel\Desktop\ResourceLocale, xrefs: 004070B0
kernel32.dll, xrefs: 00407048
GetUserDefaultUILanguage, xrefs: 00407043

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 004019DC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(006C03D8,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(?,00000000,00008000,006C03D8,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(006BE880,?,00000000,00008000,006C03D8,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE

Strings

tk, xrefs: 00401A5D

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: tk
API String ID: 3782394904-23409012
Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D

Function 004053B4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE

Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A

Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B

Strings

m/d/yy, xrefs: 0040549D
:mm, xrefs: 004055B0
:mm:ss, xrefs: 004055CA
mmmm d, yyyy, xrefs: 004054BF
AMPM, xrefs: 00405599

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C

Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Error, xrefs: 00403D91
Runtime error at 00000000, xrefs: 00403D96, 00403DA9
9@, xrefs: 00403D29, 00403D34

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$9@
API String ID: 1220098344-1503883590
Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E

Function 00401918 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Strings

tk, xrefs: 0040195A

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: tk
API String ID: 730355536-23409012
Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103
h'j, xrefs: 004030F3

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@$h'j
API String ID: 2123368496-3788664753
Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC

Strings

)q@, xrefs: 00406F3F, 00406E98, 00406EA8, 00406F04, 00406F28, 00406F18, 00406EEF

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: QueryValue
String ID: )q@
API String ID: 3660427363-2284170586
Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99

Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524

Memory Dump Source

Source File: 00000000.00000002.3383049259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3382984741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383161114.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3383195779.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

Analysis Process: Xzm9fAfKhB.tmpPID: 64, Parent PID: 4800COMMON

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	72

Executed Functions

Function 00470950 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 956COMMON

Download Yara Rule

Strings

Time stamp of existing file: %s, xrefs: 00470CD3
Skipping due to "onlyifdoesntexist" flag., xrefs: 00470C76
Non-default bitness: 32-bit, xrefs: 00470B63
.tmp, xrefs: 0047125F
Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470F6C
Installing into GAC, xrefs: 004719A2
Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470F5D
Time stamp of our file: %s, xrefs: 00470C43
Couldn't read time stamp. Skipping., xrefs: 00470FDD
Version of existing file: (none), xrefs: 00470FA2
Installing the file., xrefs: 004711B1
Skipping due to "onlyifdestfileexists" flag., xrefs: 004711A2
Same version. Skipping., xrefs: 00470F8D
Will register the file (a type library) later., xrefs: 004717A1
Incrementing shared file count (32-bit)., xrefs: 00471833
User opted not to overwrite the existing file. Skipping., xrefs: 004710F5
Version of our file: %u.%u.%u.%u, xrefs: 00470D98
Incrementing shared file count (64-bit)., xrefs: 0047181A
, xrefs: 00470E77, 00471048, 004710C6
Dest filename: %s, xrefs: 00470B3C
Version of our file: (none), xrefs: 00470DA4
Dest file is protected by Windows File Protection., xrefs: 00470B95
Same time stamp. Skipping., xrefs: 00470FFD
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0047113E
Time stamp of existing file: (failed to read), xrefs: 00470CDF
Version of existing file: %u.%u.%u.%u, xrefs: 00470E24
Existing file is protected by Windows File Protection. Skipping., xrefs: 00471094
@, xrefs: 00470A58
Non-default bitness: 64-bit, xrefs: 00470B57
Dest file exists., xrefs: 00470C63
Existing file is a newer version. Skipping., xrefs: 00470EAA
Will register the file (a DLL/OCX) later., xrefs: 004717AD
Existing file has a later time stamp. Skipping., xrefs: 00471077
-- File entry --, xrefs: 004709A3
Uninstaller requires administrator: %s, xrefs: 0047141D
Failed to strip read-only attribute., xrefs: 0047117B
InUn, xrefs: 004713ED
Stripped read-only attribute., xrefs: 0047116F
Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470F78
Time stamp of our file: (failed to read), xrefs: 00470C4F

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 0-4021121268
Opcode ID: 37ba39076e8f210f702745b7d33ab1b6cbc29d83952fc568139b6c082dd49221
Instruction ID: 00dcbbebc37e67597ddb11db3b00c056d98a3663d13b65a1c96947d1bb872b77
Opcode Fuzzy Hash: 37ba39076e8f210f702745b7d33ab1b6cbc29d83952fc568139b6c082dd49221
Instruction Fuzzy Hash: 2C927534A04288DFDB11DFA9C845BDDBBB5AF05304F5480ABE848AB392C7789E45CB59

Function 0042E0AC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0E6
GetVersion.KERNEL32(00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E103
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E11C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E122
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E290,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E137
FreeSid.ADVAPI32(00000000,0042E297,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E28A

Strings

advapi32.dll, xrefs: 0042E117
CheckTokenMembership, xrefs: 0042E112

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: dfa08fd94d7286335d22f987ae6d0bc512a1d03bb366aa7b3c061580d116a88c
Instruction ID: 1c76bb1748f4203a7925b196b2d5623075850b54fd141b793a49aa5c8bf5bf77
Opcode Fuzzy Hash: dfa08fd94d7286335d22f987ae6d0bc512a1d03bb366aa7b3c061580d116a88c
Instruction Fuzzy Hash: 22517571B44615EEEB10EAE6A842BBF7BACDB09304F9404BBB501F7282D57C9904867D

Function 004502AC Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00480618), ref: 004502BF
LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480618), ref: 004502D7
GetProcAddress.KERNEL32(6FEF0000,RmStartSession), ref: 004502F5
GetProcAddress.KERNEL32(6FEF0000,RmRegisterResources), ref: 0045030A
GetProcAddress.KERNEL32(6FEF0000,RmGetList), ref: 0045031F
GetProcAddress.KERNEL32(6FEF0000,RmShutdown), ref: 00450334
GetProcAddress.KERNEL32(6FEF0000,RmRestart), ref: 00450349
GetProcAddress.KERNEL32(6FEF0000,RmEndSession), ref: 0045035E

Strings

Rstrtmgr.dll, xrefs: 004502D2
RmRestart, xrefs: 0045033E
RmStartSession, xrefs: 004502EA
RmEndSession, xrefs: 00450353
RmGetList, xrefs: 00450314
RmRegisterResources, xrefs: 004502FF
RmShutdown, xrefs: 00450329

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
API String ID: 1968650500-3419246398
Opcode ID: e7a86348d8f011b95a06015b0bab06b6210f60d72cb8efa7c77c846e57fe45c9
Instruction ID: 1cbd638475316f18669290cc5db137bdc69b0bbe350ace6e5bf0246856dda450
Opcode Fuzzy Hash: e7a86348d8f011b95a06015b0bab06b6210f60d72cb8efa7c77c846e57fe45c9
Instruction Fuzzy Hash: CC11A5B4541740DBDA10FBA5BB85A2A32E9E72C715B08563BEC44AA1A2DB7C4448CF9C

Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2e69a12e9eff459782c0c50b644f6d48cf10d105da74f526d2b860ae1f2e99
Instruction ID: adb1057a9d0d7329e5210459a6b6756db00cf693e958207d3a560887342e2c6b
Opcode Fuzzy Hash: 8e2e69a12e9eff459782c0c50b644f6d48cf10d105da74f526d2b860ae1f2e99
Instruction Fuzzy Hash: EBE1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE81DB08

Function 00467710 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0049529C: GetWindowRect.USER32(00000000), ref: 004952B2

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467ADF

Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00467AF9), ref: 0041D6EB

Part of subcall function 004674EC: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046758F
Part of subcall function 004674EC: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004675B5
Part of subcall function 004674EC: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 0046760C

Part of subcall function 00466EAC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467B94,00000000,00000000,00000000,0000000C,00000000), ref: 00466EC4

Part of subcall function 00495520: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0049552A

Part of subcall function 0042ED48: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
Part of subcall function 0042ED48: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5

Part of subcall function 004951EC: 73E9A570.USER32(00000000,?,?,?), ref: 0049520E
Part of subcall function 004951EC: SelectObject.GDI32(?,00000000), ref: 00495234
Part of subcall function 004951EC: 73E9A480.USER32(00000000,?,00495292,0049528B,?,00000000,?,?,?), ref: 00495285

Part of subcall function 00495510: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0049551A

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,02139D60,0213B94C,?,?,0213B97C,?,?,0213B9CC,?), ref: 00468769
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046877A
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468792

Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082

Strings

STOPIMAGE, xrefs: 00467AD4
k H, xrefs: 004679D9, 004679ED
, xrefs: 00467BA1
(Default), xrefs: 00468D7B

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
String ID: $(Default)$STOPIMAGE$k H
API String ID: 3271511185-4041106330
Opcode ID: 8c5f56ff46f7a67da8681be0a4bf9e1c58ad281b7cd8555ea36c903984038836
Instruction ID: 2b4e5e33b1fbe28ecfb2af168a793b611adbc31a6fcb8730d9662ddd01b2079a
Opcode Fuzzy Hash: 8c5f56ff46f7a67da8681be0a4bf9e1c58ad281b7cd8555ea36c903984038836
Instruction Fuzzy Hash: 6CF2C7386005208FCB00EB59D9D9F9973F5BF49304F1582BAF5049B36ADB74AC46CB9A

Function 004751F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 00475251
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 0047532E
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00475362,?,?,0049C1D0,00000000), ref: 0047533C

Strings

unins???.*, xrefs: 0047523B
unins, xrefs: 004752A4

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: a837fad0235e4b9e7aba6803d3a4e161a7614f9d7543318200369ea6c4804c70
Instruction ID: 9ba6e551af2be01ae54f2bf6d4feb37662207b66b60327addd096aea054bc42d
Opcode Fuzzy Hash: a837fad0235e4b9e7aba6803d3a4e161a7614f9d7543318200369ea6c4804c70
Instruction Fuzzy Hash: 333153706005489FDB10EB65D981ADE77B9EF44344F5080F6A80CAB3B2DBB89F418B58

Function 00452A4C Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00452AAF,?,?,-00000001,00000000), ref: 00452A89
GetLastError.KERNEL32(00000000,?,00000000,00452AAF,?,?,-00000001,00000000), ref: 00452A91

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 8734e5af750e444322e05c8d8760e218afcb813f3cdff8847798d95c72a82f1b
Instruction ID: 2517da8cadb6fb7e7a3bde91136fc32a544ec95f0d2c756002249f4fd287b9db
Opcode Fuzzy Hash: 8734e5af750e444322e05c8d8760e218afcb813f3cdff8847798d95c72a82f1b
Instruction Fuzzy Hash: B9F0F971A04604AB8B20DBA69D0149EB7ACEB46725710467BFC14E3292EAB94E048558

Function 0046E38C Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0000049C,0046E422), ref: 0046E396
CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,0000049C,0046E422), ref: 0046E3B2

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: 8ad8c01d14ab9cfbb68706b1f8329e070a5efeb3acbbf88c6fea7131f03e9687
Instruction ID: ca204bcfc643a6eeda20b237376823326e775e7ff9cf44b6f5c5a065e078b710
Opcode Fuzzy Hash: 8ad8c01d14ab9cfbb68706b1f8329e070a5efeb3acbbf88c6fea7131f03e9687
Instruction Fuzzy Hash: 80F0A035282200DEEB1097AADC45B4A37C1BB20718F40007BF440D7391E3FDD8908A5F

Function 00408570 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED

Function 00423B94 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
Opcode Fuzzy Hash: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94

Function 00455588 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 0045559E

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: cd9d261bbe345dbfbc1978f69ea3c80f8509ceaa1a51dcff4dfe5a18c54a8916
Instruction ID: 445fb77b721d6e8bc33303137c5d79e403f1e24c04085a252f4bbff9531eb306
Opcode Fuzzy Hash: cd9d261bbe345dbfbc1978f69ea3c80f8509ceaa1a51dcff4dfe5a18c54a8916
Instruction Fuzzy Hash: 6AD0C271304704A3C700AAA99C825AA35DD8B84315F00483F3CC6DA3C3FABDDA481696

Function 0042F530 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F54C

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
Instruction ID: 55aff4e3ab0814f5b97a0c0db1ec4da333d3f7c11773d115dc143ade784a7ab4
Opcode Fuzzy Hash: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
Instruction Fuzzy Hash: BAD05E7120010C7B9B00DE9CE840C6B33BC9B88700BA08825F918C7202C634ED5187A8

Function 0046F300 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0046F0EC: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,004763FA,?,0049C1D0,?,0046F403,?,00000000,0046F99E,?,_is1), ref: 0046F10F

Part of subcall function 0046F15C: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F7DA,?,?,00000000,0046F99E,?,_is1,?), ref: 0046F16F

RegCloseKey.ADVAPI32(?,0046F9A5,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F9F0,?,?,0049C1D0,00000000), ref: 0046F998

Strings

DisplayIcon, xrefs: 0046F61B
QuietUninstallString, xrefs: 0046F68F
Comments, xrefs: 0046F794
" /SILENT, xrefs: 0046F682
DisplayVersion, xrefs: 0046F6AC
HelpLink, xrefs: 0046F720
NoModify, xrefs: 0046F7C8
Inno Setup: User, xrefs: 0046F492
UninstallString, xrefs: 0046F655
ModifyPath, xrefs: 0046F7B4
URLUpdateInfo, xrefs: 0046F73D
Inno Setup: User Info: Name, xrefs: 0046F54E
Inno Setup: User Info: Organization, xrefs: 0046F563
NoRepair, xrefs: 0046F7DC
Inno Setup: Deselected Tasks, xrefs: 0046F536
InstallDate, xrefs: 0046F7FB
Inno Setup: App Path, xrefs: 0046F426
Inno Setup: Selected Components, xrefs: 0046F4D0
RegisterPreviousData, xrefs: 0046F94E
EstimatedSize, xrefs: 0046F915
Inno Setup: Deselected Components, xrefs: 0046F4EF
InstallLocation, xrefs: 0046F446
Inno Setup: Language, xrefs: 0046F59F
Inno Setup: User Info: Serial, xrefs: 0046F578
Inno Setup: Selected Tasks, xrefs: 0046F517
Inno Setup: Setup Version, xrefs: 0046F3F1
Inno Setup: Icon Group, xrefs: 0046F455
Inno Setup: Setup Type, xrefs: 0046F4B1
DisplayName, xrefs: 0046F5FE
Readme, xrefs: 0046F75A
5.5.0 (a), xrefs: 0046F3F6
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046F356
URLInfoAbout, xrefs: 0046F6E6
MinorVersion, xrefs: 0046F839
_is1, xrefs: 0046F35C
Contact, xrefs: 0046F777
MajorVersion, xrefs: 0046F827
Inno Setup: No Icons, xrefs: 0046F473
HelpTelephone, xrefs: 0046F703
Publisher, xrefs: 0046F6C9

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Value$Close
String ID: " /SILENT$5.5.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3391052094-1769338133
Opcode ID: 67f6315d958a58f45cb4284f97db66795a1d98a02650a50bcbb58ac39832d899
Instruction ID: 138fe2a8aa43a8f2517aa1aee13eacc10811dc4b0cf032f1bf39601b5d09dcc5
Opcode Fuzzy Hash: 67f6315d958a58f45cb4284f97db66795a1d98a02650a50bcbb58ac39832d899
Instruction Fuzzy Hash: 96126331A001089BCB04EB55F891ADE77F5FB49304F60807BE841AB396EB79BD49CB59

Function 00492208 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000000,004926FD,?,?,?,?,00000000,00000000,00000000), ref: 00492248
FindWindowA.USER32(00000000,00000000), ref: 00492279

Strings

LOADDLL, xrefs: 0049250B
SLEEP, xrefs: 00492232
FINDWINDOWBYWINDOWNAME, xrefs: 00492291
SENDMESSAGE, xrefs: 004922CD
POSTMESSAGE, xrefs: 00492323
FINDWINDOWBYCLASSNAME, xrefs: 00492255
SENDBROADCASTMESSAGE, xrefs: 00492415
SENDBROADCASTNOTIFYMESSAGE, xrefs: 004924B7
POSTBROADCASTMESSAGE, xrefs: 00492463
CREATEMUTEX, xrefs: 00492629
CHARTOOEMBUFF, xrefs: 0049269E
FREEDLL, xrefs: 004925F4
OEMTOCHARBUFF, xrefs: 0049265B
SENDNOTIFYMESSAGE, xrefs: 0049237F
REGISTERWINDOWMESSAGE, xrefs: 004923DB
CALLDLLPROC, xrefs: 0049256D

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 04389725d469abda592edc5d686fc9dc2997d938da4e0f8a72bd6865d44b9f5f
Instruction ID: d4b9d66e752ac066ee841e8e0b6dcdad2790022369f15f3c2d7e05b7c0e56f01
Opcode Fuzzy Hash: 04389725d469abda592edc5d686fc9dc2997d938da4e0f8a72bd6865d44b9f5f
Instruction Fuzzy Hash: 7BC18360B042003BDB14BE3E8D4651F599AAF98704B21DA3FB446EB78BDE7DDC0A4359

Function 004834FC Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0048350D
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0048351A
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483528
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483530
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0048353C
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0048355D
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483570
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483576
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0048358D

Strings

kernel32.dll, xrefs: 00483508
IsWow64Process, xrefs: 0048352A
GetNativeSystemInfo, xrefs: 00483514
GetSystemWow64DirectoryA, xrefs: 00483557
RegDeleteKeyExA, xrefs: 00483566
advapi32.dll, xrefs: 0048356B

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: 902794c9b05e674b3c8cbfb7d2ebb6c35b92e2ba612f62c852d4d82e66413226
Instruction ID: aef9cc714e700b71c16e3c25fef244724f393c0ebf8792b51c17ae6c670cb8ad
Opcode Fuzzy Hash: 902794c9b05e674b3c8cbfb7d2ebb6c35b92e2ba612f62c852d4d82e66413226
Instruction Fuzzy Hash: 3C11B181104341B4DA22BB799C4AB7FA5C88B14F1EF084C3B6C41662C2DBBCCF45972E

Function 004690F4 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,0046930E,?,?,00000001,00000000,00000000,00469329,?,00000000,00000000,?), ref: 004692F7

Strings

Inno Setup: Deselected Components, xrefs: 00469238
Inno Setup: Setup Type, xrefs: 00469206
Inno Setup: Selected Components, xrefs: 00469216
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00469153
Inno Setup: Deselected Tasks, xrefs: 00469285
Inno Setup: Selected Tasks, xrefs: 00469263
Inno Setup: User Info: Name, xrefs: 004692B3
Inno Setup: Icon Group, xrefs: 004691D2
Inno Setup: App Path, xrefs: 004691B6
Inno Setup: User Info: Serial, xrefs: 004692D9
%s\%s_is1, xrefs: 00469171
Inno Setup: No Icons, xrefs: 004691DF
Inno Setup: User Info: Organization, xrefs: 004692C6

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: 25db79955295e6fcdf5aa6e288321b734c42c3c57179da3fb439077398282def
Instruction ID: 061cd232f3236ea8aa9d1be5d6e88d15b117e94232a8cb9589ebe07a9024ca8b
Opcode Fuzzy Hash: 25db79955295e6fcdf5aa6e288321b734c42c3c57179da3fb439077398282def
Instruction Fuzzy Hash: 2451A530A007049BCB11DB65D991BDEB7F9EF49304F5084BAE841A7391E778AE05CB59

Function 0047CB30 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74A90000,SHGetFolderPathA), ref: 0047CC32

Strings

Failed to load DLL "%s", xrefs: 0047CC15
_isetup\_shfoldr.dll, xrefs: 0047CB62
Failed to get address of SHGetFolderPath function, xrefs: 0047CC43
shell32.dll, xrefs: 0047CBDD
Failed to get version numbers of _shfoldr.dll, xrefs: 0047CB88
shfolder.dll, xrefs: 0047CB95, 0047CBCE
SHFOLDERDLL, xrefs: 0047CB6F
SHGetFolderPathA, xrefs: 0047CC27
-rI, xrefs: 0047CC10

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc
String ID: -rI$Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 190572456-1821436788
Opcode ID: 6ffe9b8d239fe87f34ca3bad4a2ef70314c6aab1a19caa776437c1588b9a665e
Instruction ID: 6634b889f1a60bd4549a24dd6789ad2f54a0d6468ac2a8038bb9781f42ef23c6
Opcode Fuzzy Hash: 6ffe9b8d239fe87f34ca3bad4a2ef70314c6aab1a19caa776437c1588b9a665e
Instruction Fuzzy Hash: 8531E970A00109DFCF11EFA9D9D29EEB7B5EB44304B60847BE808E7241D738AE458B6D

Function 00406334 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00498590), ref: 0040633A
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498590), ref: 0040637E

Strings

SetSearchPathMode, xrefs: 00406357
SetDllDirectoryW, xrefs: 00406341
SetProcessDEPPolicy, xrefs: 0040636D
kernel32.dll, xrefs: 00406335

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 44a467ebc0bbd25a117d5635929f8822d44e7a6198a0967341d1dbca25e1581a
Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
Opcode Fuzzy Hash: 44a467ebc0bbd25a117d5635929f8822d44e7a6198a0967341d1dbca25e1581a
Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD

Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2

GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
RegisterClassA.USER32(00499630), ref: 004238C7
GetSystemMetrics.USER32(00000000), ref: 004238E9
GetSystemMetrics.USER32(00000001), ref: 004238F8
SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID:
API String ID: 183575631-0
Opcode ID: f8f7b9d3de02a5f634ff8a39374b78efb95d56f414cac3a76e6abeb800e2fe0e
Instruction ID: c8b20579a229f032ee7a03b4d787949f367ffe63dd75f0d430c9c3a529dbdbac
Opcode Fuzzy Hash: f8f7b9d3de02a5f634ff8a39374b78efb95d56f414cac3a76e6abeb800e2fe0e
Instruction Fuzzy Hash: 813172B17402006AEB10AF65AC82F6B36989B14308F10017BFA40AE2D3C6BDDD40876D

Function 004674EC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046758F
ExtractIconA.SHELL32(00400000,00000000,?), ref: 004675B5

Part of subcall function 0046742C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004674C4
Part of subcall function 0046742C: DestroyCursor.USER32(00000000), ref: 004674DA

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 0046760C
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046766D
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467693

Strings

k H, xrefs: 004674F7
c:\directory, xrefs: 0046758A
shell32.dll, xrefs: 004675F0

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$k H$shell32.dll
API String ID: 3376378930-433663191
Opcode ID: 29e72a9552dfdc2cbc6caa590d21046d5f8b548d470bab6826c497dca36ee432
Instruction ID: 265839c963417482dd86c951db209f81288bb0a388fd09f062db7983cc26d63d
Opcode Fuzzy Hash: 29e72a9552dfdc2cbc6caa590d21046d5f8b548d470bab6826c497dca36ee432
Instruction Fuzzy Hash: B2516070604604AFDB10EF69CD89FDFB7E8EB48318F1081A6F9049B391D6399E81CA59

Function 0042F570 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 0042F59F
GetFocus.USER32 ref: 0042F5A7
RegisterClassA.USER32(004997AC), ref: 0042F5C8
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F69C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F606
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F64C
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F65D
SetFocus.USER32(00000000,00000000,0042F67F,?,?,?,00000001,00000000,?,00458696,00000000,0049B628), ref: 0042F664

Strings

TWindowDisabler-Window, xrefs: 0042F5FF, 0042F645

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 3167913817-1824977358
Opcode ID: b2433ce4ffe1b1f942b14f487daced2f86516ced4add7bc415a00a8a37101852
Instruction ID: 092f1afd63313efa57bcf667ad1f00c9caddf595d34af2871f870ebe591ae418
Opcode Fuzzy Hash: b2433ce4ffe1b1f942b14f487daced2f86516ced4add7bc415a00a8a37101852
Instruction Fuzzy Hash: 20219F70740710BAE710EF62AD03F1A76A8EB04B04FA1413AF504AB2D1D7B96D5586ED

Function 004531DC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 004531FC
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453202
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 00453216
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045321C

Strings

Wow64RevertWow64FsRedirection, xrefs: 0045320C
Wow64DisableWow64FsRedirection, xrefs: 004531F2
kernel32.dll, xrefs: 004531F7, 00453211
shell32.dll, xrefs: 00453248

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: c24ac2f37dcd2c5f05e81832aa1b687e7eaf3d26bd242744e205e68ddaa02280
Instruction ID: 5e931287d6eebe3694b70f0ad3549e6df422da746536320e83a51589c54bb73f
Opcode Fuzzy Hash: c24ac2f37dcd2c5f05e81832aa1b687e7eaf3d26bd242744e205e68ddaa02280
Instruction Fuzzy Hash: 5B017570240B45AFD711AF73AD02F167658E705B57F6044BBFC0096286D77C8A088EAD

Function 0047C800 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047C973,?,?,00000000,0049B628,00000000,00000000,?,00497F09,00000000,004980B2,?,00000000), ref: 0047C893
GetLastError.KERNEL32(00000000,00000000,00000000,0047C973,?,?,00000000,0049B628,00000000,00000000,?,00497F09,00000000,004980B2,?,00000000), ref: 0047C89C

Strings

_isetup, xrefs: 0047C87E
REGDLL_EXE, xrefs: 0047C910
Created temporary directory: , xrefs: 0047C835
\_setup64.tmp, xrefs: 0047C92B
\_RegDLL.tmp, xrefs: 0047C900

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
API String ID: 1375471231-1421604804
Opcode ID: 20565183d399805a0260eecee190a14380a82a44589236b9bd3091d604848e13
Instruction ID: 2e7cf1fa8793a22cdcb7cccf6aa375e82942df810c5d1ff78a46bc34c798803d
Opcode Fuzzy Hash: 20565183d399805a0260eecee190a14380a82a44589236b9bd3091d604848e13
Instruction Fuzzy Hash: 65411474A001099BDB00EFA5D8C2ADEB7B9EB44309F50857BE91477392DB389E058B69

Function 00430950 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430958
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430967
GetCurrentThreadId.KERNEL32 ref: 00430981
GlobalAddAtomA.KERNEL32(00000000), ref: 004309A2

Strings

commdlg_help, xrefs: 00430953
commdlg_FindReplace, xrefs: 00430962
WndProcPtr%.8X%.8X, xrefs: 00430993

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 78856a4ce41e30232f7250bb6d0de12fd7185dbc6f50e75004d9522d85a73123
Instruction ID: fe08fc0df2a0eca0a869f0df0621173a2940aa0bc2523ddfe777e35bb070d714
Opcode Fuzzy Hash: 78856a4ce41e30232f7250bb6d0de12fd7185dbc6f50e75004d9522d85a73123
Instruction Fuzzy Hash: 30F082B0958340CEE300EB25994271A7BE0EF58318F00467FF498A63E2D7399900CB5F

Function 004723E4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 263fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,004725B5,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951), ref: 00472591
FindClose.KERNEL32(000000FF,004725BC,004725B5,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951,?), ref: 004725AF
FindNextFileA.KERNEL32(000000FF,?,00000000,004726D7,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951), ref: 004726B3
FindClose.KERNEL32(000000FF,004726DE,004726D7,?,00000000,?,0049C1D0,00000000,00472783,?,00000000,?,00000000,?,00472951,?), ref: 004726D1

Strings

"*G, xrefs: 0047242A, 00472441
"*G, xrefs: 0047263B, 0047263E

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Find$CloseFileNext
String ID: "*G$"*G
API String ID: 2066263336-450946878
Opcode ID: 731f9d001d9b8b0b4781793d64753bce726ea54262d8f8a63928cd792b5168e5
Instruction ID: 3872decae14ce2498a692a517acaa1cf84d86a609609514027ee2c14d85ef847
Opcode Fuzzy Hash: 731f9d001d9b8b0b4781793d64753bce726ea54262d8f8a63928cd792b5168e5
Instruction Fuzzy Hash: 6CB13E7490424DAFCF11DFA5C981ADEBBB9FF49304F5081AAE808B3251D7789A46CF58

Function 00454FFC Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00455218,00455218,00000031,00455218,00000000), ref: 004551A6
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00455218,00455218,00000031,00455218), ref: 004551B3

Part of subcall function 00454F68: WaitForInputIdle.USER32(00000001,00000032), ref: 00454F94
Part of subcall function 00454F68: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00454FB6
Part of subcall function 00454F68: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454FC5
Part of subcall function 00454F68: CloseHandle.KERNEL32(00000001,00454FF2,00454FEB,?,00000031,00000080,00000000,?,?,0045534B,00000080,0000003C,00000000,00455361), ref: 00454FE5

Strings

COMMAND.COM" /C , xrefs: 00455110
D, xrefs: 00455144
.bat, xrefs: 0045508C
.cmd, xrefs: 004550A7
cmd.exe" /C ", xrefs: 004550D9

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 2fd3dae9d75497d44160d5c5904f03d0a65dfeb3736f9e9635dbb4a286748838
Instruction ID: 314af404618b4f06b129018ed763823481dfe4f790e250d6c958622b2bfe97d6
Opcode Fuzzy Hash: 2fd3dae9d75497d44160d5c5904f03d0a65dfeb3736f9e9635dbb4a286748838
Instruction Fuzzy Hash: 12515A30A0074DABDB11EF95C892BEEBBB9AF44705F50407BB804B7282D7785A49CB59

Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
OemToCharA.USER32(?,?), ref: 0042376C
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC

Strings

MAINICON, xrefs: 00423721
2, xrefs: 004236FA

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 751299a27fb29773dc730031d78ffe09a982dc500c90bea8db2431fb333e9452
Instruction ID: fd9f9c5161a85cdd37c149357dc6ae372d2e201a3957992c444bec056041847b
Opcode Fuzzy Hash: 751299a27fb29773dc730031d78ffe09a982dc500c90bea8db2431fb333e9452
Instruction Fuzzy Hash: 89319270A042549ADF14EF2998857C67BE8AF14308F4441BAE844DB393D7BED988CB99

Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
GetCurrentThreadId.KERNEL32 ref: 00418F89
GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA

Part of subcall function 004230D8: 73E9A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
Part of subcall function 004230D8: 73EA4620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
Part of subcall function 004230D8: 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154

Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC

Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D

Strings

ControlOfs%.8X%.8X, xrefs: 00418F9B
Delphi%.8X, xrefs: 00418F5F

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A4620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 1580766901-2767913252
Opcode ID: cfc1acdfd4e85ff2d131a9f4d40f785a7290ab9aa4a67b06bd919a79267a8431
Instruction ID: 147b0fd3ac44816fa50e213e98ef70cab9cb63b371fef283777c7ccc396f8742
Opcode Fuzzy Hash: cfc1acdfd4e85ff2d131a9f4d40f785a7290ab9aa4a67b06bd919a79267a8431
Instruction Fuzzy Hash: BB112EB06142409AC740FF76A94265A7BE1DB64318F40843FF448EB2D1DB7D99448B5F

Function 0041364C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
GetWindowLongA.USER32(?,000000F0), ref: 0041367F
GetWindowLongA.USER32(?,000000F4), ref: 00413691
SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
SetPropA.USER32(?,00000000,00000000), ref: 004136BB
SetPropA.USER32(?,00000000,00000000), ref: 004136D2

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
Instruction ID: 955d73ee8c9e489f8eb805393a0cdbf9fe7b6d9765079e051d97cf620cdedb95
Opcode Fuzzy Hash: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
Instruction Fuzzy Hash: D811C975500248BFDB00DF9DDC84EDA3BE8EB19364F144666B918DB2A1D738DD908BA8

Function 004556C4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045585B,?,00000000,0045589B), ref: 004557A1

Strings

WININIT.INI, xrefs: 004557D0
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455724
PendingFileRenameOperations, xrefs: 00455740
PendingFileRenameOperations2, xrefs: 00455770

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: e596244eac119ca3746a9610a602a7bde82fbf058035d963e90b8d4b6900848c
Instruction ID: 5ff55985f0d79b0cf99ef6a0ef0ae12f56fe6c83aec1de8438bfb9543cdeefde
Opcode Fuzzy Hash: e596244eac119ca3746a9610a602a7bde82fbf058035d963e90b8d4b6900848c
Instruction Fuzzy Hash: BB519670E006089FDB10FF61DC51AEEB7B9EF45305F50857BE804A7292DB7CAA49CA58

Function 00423A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423A2C), ref: 00423AB8
GetWindow.USER32(?,00000003), ref: 00423ACD
GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12

Strings

lAB, xrefs: 00423B02, 00423B06

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: lAB
API String ID: 4191631535-3476862382
Opcode ID: 5f05c18b5ef50282e2e62587cef3ede3e0bfa46b8e8bdba155623c697b582535
Instruction ID: 20c146af1fa2ebf8fe73d6cd857ce812a249192cdefe4c29475ac4fba41381ea
Opcode Fuzzy Hash: 5f05c18b5ef50282e2e62587cef3ede3e0bfa46b8e8bdba155623c697b582535
Instruction Fuzzy Hash: 4E115E70700610ABDB109F28DD85F6A77E8EB04725F50026AF9A49B2E7C378ED40CB59

Function 0042DE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE60
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFFB,00000000,0042E013,?,?,?,?,00000006,?,00000000,0049722D), ref: 0042DE7B
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE81

Strings

RegDeleteKeyExA, xrefs: 0042DE71
advapi32.dll, xrefs: 0042DE76

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: 1efadd4f9f0c0ea65d6d931b2dfdd832bea74e7cc2ac9dff72f3f3dd5b00937e
Instruction ID: 51feda2b41882886fdb541a0ee71ee95ad591444612597d61ea777cd3c773b46
Opcode Fuzzy Hash: 1efadd4f9f0c0ea65d6d931b2dfdd832bea74e7cc2ac9dff72f3f3dd5b00937e
Instruction Fuzzy Hash: 3EE06DB1B41B30AAD72032A57C8AB932629DB75326F658537F005AE1D183FC2C50CE9D

Function 0046BE48 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON

Download Yara Rule

Strings

PrepareToInstall failed: %s, xrefs: 0046C14B
Need to restart Windows? %s, xrefs: 0046C172
NextButtonClick, xrefs: 0046BF84

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
API String ID: 0-2329492092
Opcode ID: 221dd23b7cfc17f66ca7de120067e16c15a7d044e53f2a8722f04dc11adac0dc
Instruction ID: 1202268df95ceb0eead913a0caf14b6b564ec17a2e6689a58d7256d675820d07
Opcode Fuzzy Hash: 221dd23b7cfc17f66ca7de120067e16c15a7d044e53f2a8722f04dc11adac0dc
Instruction Fuzzy Hash: 64C16D34A04208DFCB00DB98C9D5AEE77B5EF05304F1444B7E840AB362D778AE41DBAA

Function 00482B0C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 224COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,00482E54), ref: 00482C30
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00482CC5

Strings

Need to restart Windows? %s, xrefs: 00482D02
, xrefs: 00482D82

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: 42b6435f46a46e58fbbfcf74279f1aaa99ef9f12c59d4801a02600e2121285e9
Instruction ID: 8ca071c16d970d9f92bb59f1fa37784b4b8a51c549d6f2244aaf7164950ab745
Opcode Fuzzy Hash: 42b6435f46a46e58fbbfcf74279f1aaa99ef9f12c59d4801a02600e2121285e9
Instruction Fuzzy Hash: 2191B4346042458FDB10EB69D9C5BAD77F4AF59308F0084BBE8009B3A2CBB8AD05CB5D

Function 0046FD84 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838

GetLastError.KERNEL32(00000000,0046FF81,?,?,0049C1D0,00000000), ref: 0046FE5E
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FED8
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FEFD

Strings

Creating directory: %s, xrefs: 0046FE46

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: 1f02ae1e850569658feceaaf3c85ff1782ed1f35d471b3de261e4d8f3d8ed172
Instruction ID: bdf8a9d00633064e3922ce557b3b2562df44373322d6b4000fae74d311730630
Opcode Fuzzy Hash: 1f02ae1e850569658feceaaf3c85ff1782ed1f35d471b3de261e4d8f3d8ed172
Instruction Fuzzy Hash: AE513F74A00248ABDB04DFA5D582BDEB7F5AF09304F50817BE850B7382D7786E08CB69

Function 00454DC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E6E
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F34), ref: 00454ED8

Strings

sfc.dll, xrefs: 00454E30
SfcIsFileProtected, xrefs: 00454E68

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: 6a91046d7309a4de6cfc4beec76e0de6ac9bbff88298f3f0baf31012854e5b94
Instruction ID: 1a17c74f1ac94ad93f17d87dc1e08c5ddb540f3824a5df31749c88666692504e
Opcode Fuzzy Hash: 6a91046d7309a4de6cfc4beec76e0de6ac9bbff88298f3f0baf31012854e5b94
Instruction Fuzzy Hash: 6A41A630A042189BEB10DB69DC85B9D77B8AB4430DF5081B7E908A7293D7785F88CF59

Function 0044B39C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,00000000,00000000,0044B49D,?,k H,?,?), ref: 0044B411
SelectObject.GDI32(?,00000000), ref: 0044B434
73E9A480.USER32(00000000,?,0044B474,00000000,0044B46D,?,00000000,?,00000000,00000000,0044B49D,?,k H,?,?), ref: 0044B467

Strings

k H, xrefs: 0044B3A4

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: A480A570ObjectSelect
String ID: k H
API String ID: 1230475511-1447039187
Opcode ID: d4c138e2771e5465782f1838dde397b15c475f1a6013829dedf10027ea17c150
Instruction ID: b5872ed9d16ca79c431bae9e7544c15e8f802733be01f045b529408bc148fe47
Opcode Fuzzy Hash: d4c138e2771e5465782f1838dde397b15c475f1a6013829dedf10027ea17c150
Instruction Fuzzy Hash: 6D217470A04248AFEB15DFA5C851B9EBBB9EB49304F51807AF504E7282D77CD940CB69

Function 0044B0D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B15C,?,k H,?,?), ref: 0044B12E
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B141
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B175

Strings

k H, xrefs: 0044B0D8

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID: k H
API String ID: 65125430-1447039187
Opcode ID: 9eee4d412d6110b2587a1d6710a95c773ea7c34e3a7d98a27860af6b4704048a
Instruction ID: 2dd5a1fcad8022b5ecdd36c3e8438632fadfe976456551c737a9f8dd3ea145e1
Opcode Fuzzy Hash: 9eee4d412d6110b2587a1d6710a95c773ea7c34e3a7d98a27860af6b4704048a
Instruction Fuzzy Hash: A3110BB6700604BFE700DB5A9C91D6F77ECD749750F10413BF504D72D0C6389E018668

Function 0042ED48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8

Strings

SHAutoComplete, xrefs: 0042EDB2
shlwapi.dll, xrefs: 0042ED83

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: 0d90ae9549cb3a794f747e0b3b89476a1a48bf8a1e7f9d56d35495b62d60795c
Instruction ID: a33720f3aac7210c00664dabe11b621525643aa7ae94b1405928deeb439ddd4e
Opcode Fuzzy Hash: 0d90ae9549cb3a794f747e0b3b89476a1a48bf8a1e7f9d56d35495b62d60795c
Instruction Fuzzy Hash: 1611A331B00318BBDB11EB62ED81B8E7BA8DB55704F90407BF400A6691DBB8AE05C65D

Function 004559FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,00455A67,?,00000001,00000000), ref: 00455A5A

Strings

PendingFileRenameOperations2, xrefs: 00455A3B
PendingFileRenameOperations, xrefs: 00455A2C
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A08

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: a871c7690d9b103e0f7f2022bbb7230101daa82acd14c33f99511ba30d6e5aa6
Instruction ID: a84b10804161a04e9b7828e63518c67389a2277fb2d5ef6d9c2d81c30e1ce2e0
Opcode Fuzzy Hash: a871c7690d9b103e0f7f2022bbb7230101daa82acd14c33f99511ba30d6e5aa6
Instruction Fuzzy Hash: 49F09671714A04BFEB05D665DC72E3A739CD744B15FA1446BF800C6682DA7DBE04951C

Function 0047F804 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?,?,00000000), ref: 0047F8AA
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?,?), ref: 0047F8B7
FindNextFileA.KERNEL32(000000FF,?,00000000,0047F9D0,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D), ref: 0047F9AC
FindClose.KERNEL32(000000FF,0047F9D7,0047F9D0,?,?,?,?,00000000,0047F9FD,?,00000000,00000000,?,?,00480C0D,?), ref: 0047F9CA

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: dd47ce488d5ea13da555b7d1a4745cf9b199e366fd9c8806cfe2b69594f7a430
Instruction ID: d4c1b09f85a1e3ce5f066f5119f691750f955bf6e0a6470712ab8dbd39f482a6
Opcode Fuzzy Hash: dd47ce488d5ea13da555b7d1a4745cf9b199e366fd9c8806cfe2b69594f7a430
Instruction Fuzzy Hash: 80513E71A00648AFCB10EF65CC45ADEB7B8AB88315F1085BAA818E7351D7389F49CF59

Function 00421284 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00421371
SetMenu.USER32(00000000,00000000), ref: 0042138E
SetMenu.USER32(00000000,00000000), ref: 004213C3
SetMenu.USER32(00000000,00000000), ref: 004213DF

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: fcb1d01c21a3638414a8535da0e373d0dc57cc6d33ffad44a18b700e1522ce17
Instruction ID: 7918b5ac66a49b7c70f092078a7f06842b1ce09055eaa5e04548cec6233339c2
Opcode Fuzzy Hash: fcb1d01c21a3638414a8535da0e373d0dc57cc6d33ffad44a18b700e1522ce17
Instruction Fuzzy Hash: 7D41A13070025447EB20EA79A9857AB26969F69318F4805BFFC44DF3A3CA7DDC45839D

Function 00416B52 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416B94
SetTextColor.GDI32(?,00000000), ref: 00416BAE
SetBkColor.GDI32(?,00000000), ref: 00416BC8
CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69

Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
73EA4620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: A4620A480A570EnumFonts
String ID:
API String ID: 178811091-0
Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E

Function 0045C5C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00450918: SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F

FlushFileBuffers.KERNEL32(?), ref: 0045C7FD

Strings

EndOffset range exceeded, xrefs: 0045C731
NumRecs range exceeded, xrefs: 0045C6FA

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 90e5250bcff3ed4b7b339ef7eb4c65d9cfede30e5b4b48ed32eefd4799847540
Instruction ID: 42c6ccb15965a4bc01c0ab80d29458e35b3cecf9486565f2d0e9c4cbdba5a9bf
Opcode Fuzzy Hash: 90e5250bcff3ed4b7b339ef7eb4c65d9cfede30e5b4b48ed32eefd4799847540
Instruction Fuzzy Hash: A5617134A002988FDB24DF25C891AD9B7B5EF49305F0084DAED89AB352D774AEC9CF54

Function 00498578 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498586), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498586), ref: 00403356

Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498590), ref: 0040633A
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498590), ref: 0040637E

Part of subcall function 00409B88: 6F9C1CD0.COMCTL32(0049859A), ref: 00409B88

Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2

Part of subcall function 00419050: GetVersion.KERNEL32(004985AE), ref: 00419050

Part of subcall function 0044F754: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004985C2), ref: 0044F78F
Part of subcall function 0044F754: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F795

Part of subcall function 0044FBFC: GetVersionExA.KERNEL32(0049B790,004985C7), ref: 0044FC0B

Part of subcall function 004531DC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 004531FC
Part of subcall function 004531DC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453202
Part of subcall function 004531DC: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453275,?,?,?,?,00000000,?,004985D6), ref: 00453216
Part of subcall function 004531DC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045321C

Part of subcall function 00456EEC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F10

Part of subcall function 00464960: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004985EA), ref: 0046496F
Part of subcall function 00464960: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464975

Part of subcall function 0046D098: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046D0AD

Part of subcall function 00478B3C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004985F4), ref: 00478B42
Part of subcall function 00478B3C: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478B4F
Part of subcall function 00478B3C: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478B5F

Part of subcall function 00495584: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049559D

SetErrorMode.KERNEL32(00000001,00000000,0049863C), ref: 0049860E

Part of subcall function 00498338: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498618,00000001,00000000,0049863C), ref: 00498342
Part of subcall function 00498338: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498348

Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

ShowWindow.USER32(?,00000005,00000000,0049863C), ref: 0049866F

Part of subcall function 00482050: SetActiveWindow.USER32(?), ref: 004820FE

Strings

Setup, xrefs: 00498655

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
String ID: Setup
API String ID: 504348408-3839654196
Opcode ID: 0b193bc7ab6d0367c14efa4071f6efbf19235d44a4c70119fe87f529ba434d3c
Instruction ID: d131c851e578025af209eb9e9c2d0e6aaf1cfb04eb4cc82699b843ce611002a7
Opcode Fuzzy Hash: 0b193bc7ab6d0367c14efa4071f6efbf19235d44a4c70119fe87f529ba434d3c
Instruction Fuzzy Hash: 5C31D4702046409ED601BBBBED5352E3B98EB8A718B61487FF804D6553CE3D6C148A3E

Function 00453A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453AFF,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A56
GetLastError.KERNEL32(00000000,00000000,?,00000000,00453AFF,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A5F

Strings

.tmp, xrefs: 00453A3F

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 3cb25ddd520bb7346a311bd12df13eef30655657fdbd9206c6de24d758997ec8
Instruction ID: fcbeb811eea92760dd82faa40bdacdd366465f8a5342b7af386d3ee3900427bd
Opcode Fuzzy Hash: 3cb25ddd520bb7346a311bd12df13eef30655657fdbd9206c6de24d758997ec8
Instruction Fuzzy Hash: 5A213375A00208ABDB01EFA1C8429DEB7B9EB48305F50457BE801B7342DA789F058AA5

Function 0047C310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C596,00000000,0047C5AC,?,?,?,?,00000000), ref: 0047C372

Strings

RegisteredOwner, xrefs: 0047C34F
RegisteredOrganization, xrefs: 0047C361

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: 3cef9cafc9ae7832fbb6eaa2bd4d40f0f71bbb09bcea78efdfdb807f20eb42b3
Instruction ID: cd6b81515cbcb541a42d20c803a6709c30f964b406f28b15d8fe69fce277d2ff
Opcode Fuzzy Hash: 3cef9cafc9ae7832fbb6eaa2bd4d40f0f71bbb09bcea78efdfdb807f20eb42b3
Instruction Fuzzy Hash: 41F09030704204ABEB00D669ECD2BAA33A99746304F60C03FA9088B392D6799E01CB5C

Function 004754BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004756F3), ref: 004754E1
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004756F3), ref: 004754F8

Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B

Strings

CreateFile, xrefs: 004754ED

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: fa36eb7f5e292efbad873286b983b31a245b5f10299435e2a562660d120c4ecb
Instruction ID: 40e201e46ebb19b1d9bf90fbf766f72b309683208074062896c4944ddf319cda
Opcode Fuzzy Hash: fa36eb7f5e292efbad873286b983b31a245b5f10299435e2a562660d120c4ecb
Instruction Fuzzy Hash: CDE065702403447FDA10F769CCC6F4577889B14729F10C155B5446F3D2C5B9EC408628

Function 0042DE2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DE46
c6H, xrefs: 0042DE42, 0042DE45

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows$c6H
API String ID: 71445658-1548894351
Opcode ID: 532c08fc3a5ebe879a42036bede715a90f251433598981f36561c2967c82051c
Instruction ID: b14c86e398362f8621ba381b59967aff518ca924b2daa5b46ce173f8349262a2
Opcode Fuzzy Hash: 532c08fc3a5ebe879a42036bede715a90f251433598981f36561c2967c82051c
Instruction Fuzzy Hash: BFD0C772950128BBDB00DA89DC41DFB775DDB15760F45441BFD049B141C1B4EC5197F8

Function 00456EEC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00456E7C: CoInitialize.OLE32(00000000), ref: 00456E82

Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456F10

Strings

shell32.dll, xrefs: 00456F05
SHCreateItemFromParsingName, xrefs: 00456EFB

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressErrorInitializeLibraryLoadModeProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2906209438-2320870614
Opcode ID: 22a7af04fdfb7e1cbc8590484576be710a33bf4538556d1874791685a96bf942
Instruction ID: 6d1f0b9ea2f83cf17b9d56af39d37ffc4890966232cc80b75afa5f9be50b51f8
Opcode Fuzzy Hash: 22a7af04fdfb7e1cbc8590484576be710a33bf4538556d1874791685a96bf942
Instruction Fuzzy Hash: 97C04CA1B4169096CB00B7FAA54361F2414DB5075FB96C07FBD40BB687CE7D8848AA2E

Function 0046D098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046D0AD

Strings

SHPathPrepareForWriteA, xrefs: 0046D098
shell32.dll, xrefs: 0046D0A2

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressErrorLibraryLoadModeProc
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2492108670-2683653824
Opcode ID: 4bfb7ae62aec4cae49a8b0683f2b36ac3bef8159a448d5ae1ca26c94081968f3
Instruction ID: 608de25eae135e4754017d8cf95b07e3007941af04aa8fd5541e4ba3120ba520
Opcode Fuzzy Hash: 4bfb7ae62aec4cae49a8b0683f2b36ac3bef8159a448d5ae1ca26c94081968f3
Instruction Fuzzy Hash: 69B092E0F056008ACF00A7F6984260A10059B8071DF90807B7440BB395EA3E840AAB6F

Function 0044853C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448719), ref: 0044865C
GetProcAddress.KERNEL32(00000000,00000000), ref: 004486DD

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 9e6f6b39164a2250cf52a4aeb4930d02d61dfc433358958cd5631fa5a9f36d71
Instruction ID: bcb50df029510264ac3c8269deb9aca16d778d72fab4f9fb4f479d94b6d7f3fe
Opcode Fuzzy Hash: 9e6f6b39164a2250cf52a4aeb4930d02d61dfc433358958cd5631fa5a9f36d71
Instruction Fuzzy Hash: 09514170A00105AFDB40EFA5C491A9EBBF9EB54315F11817EA414BB392DA389E05CB99

Function 00481704 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,0048183C), ref: 004817D4
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004817E5
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004817FD

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: 700b5811d02ba2ff172c742152fb081413fabfeab2321fa183ac7a2ab913d185
Instruction ID: b36482c1273671328963914ac1a7ecaae55131090c894365c145815d0470a156
Opcode Fuzzy Hash: 700b5811d02ba2ff172c742152fb081413fabfeab2321fa183ac7a2ab913d185
Instruction Fuzzy Hash: 02318E307043445AD721FB359D82BAE3A989B15318F54593FB900AA3E3CA7C9C4A87AD

Function 004524FC Relevance: 4.6, APIs: 3, Instructions: 75COMMON

Download Yara Rule

APIs

751C1520.VERSION(00000000,?,?,?,004972D0), ref: 0045251C
751C1500.VERSION(00000000,?,00000000,?,00000000,00452597,?,00000000,?,?,?,004972D0), ref: 00452549
751C1540.VERSION(?,004525C0,?,?,00000000,?,00000000,?,00000000,00452597,?,00000000,?,?,?,004972D0), ref: 00452563

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: C1500C1520C1540
String ID:
API String ID: 1315064709-0
Opcode ID: 386d1b7d14527d93b72562f1672999fd2f5aa3ff7ed0da5cad2ac492ae89063e
Instruction ID: b47a7e64509d5cca070909842564d4f4e78a1d1ae8fea26b0cdd83eea50adb12
Opcode Fuzzy Hash: 386d1b7d14527d93b72562f1672999fd2f5aa3ff7ed0da5cad2ac492ae89063e
Instruction Fuzzy Hash: 6B218371A00148AFDB01DAA989519AFB7FCEB4A300F55447BFC00E3342E6B99E04CB65

Function 0042440C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
TranslateMessage.USER32(?), ref: 0042449F
DispatchMessageA.USER32(?), ref: 004244A9

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A

Function 00416654 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32(00000000,00000000), ref: 0041667A
SetPropA.USER32(00000000,00000000), ref: 0041668F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: c3da473eafe02ab8e789e0609dcd6af1eaad0cb973784c7fd29191cc4dc7f6ad
Instruction ID: 2262f6f032fbfc8c948eb6af5e1566575da4c35a9ecfa624f63ddadf83d7b404
Opcode Fuzzy Hash: c3da473eafe02ab8e789e0609dcd6af1eaad0cb973784c7fd29191cc4dc7f6ad
Instruction Fuzzy Hash: E3F0B271701210ABD710AB599C85FA632DCAB09719F160176BD09EF286C778DC40C7A8

Function 0041EE64 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0041EE74
IsWindowEnabled.USER32(?), ref: 0041EE7E
EnableWindow.USER32(?,00000000), ref: 0041EEA4

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
Instruction ID: eab114e884733e02e348d5fb54c1eeaedaab2d2a8f53f62e6f3f1b5b82b3488b
Opcode Fuzzy Hash: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
Instruction Fuzzy Hash: 90E0EDB9100300AAE711AB2BEC81A57769CBB94314F45843BAC099B293DA3EDC409B78

Function 0046A26C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 0046A378

Strings

PrepareToInstall, xrefs: 0046A322, 0046A3C9

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ActiveWindow
String ID: PrepareToInstall
API String ID: 2558294473-1101760603
Opcode ID: 2f09c314b6fb54b1472f2c84d4998d1c671ccdc982530a6e1a6c91392ff97de1
Instruction ID: 163d609461ff3b9580316b21a780dec1cd9204125e937a74b025edb926540d27
Opcode Fuzzy Hash: 2f09c314b6fb54b1472f2c84d4998d1c671ccdc982530a6e1a6c91392ff97de1
Instruction Fuzzy Hash: 90A10A34A00109DFCB00EB99D985EEEB7F5AF88304F1580B6E404AB362D738AE45DF59

Function 0046C764 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

/:*?"<>|, xrefs: 0046C900, 0046C917

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID: /:*?"<>|
API String ID: 0-4078764451
Opcode ID: daa5e4ec58dfd3a4f8b67407405db92af73f638a584e66193a323fc2660a566c
Instruction ID: b706238f5af82f8a54f925a22e06db4ee79b372672e861a4edd763b161806009
Opcode Fuzzy Hash: daa5e4ec58dfd3a4f8b67407405db92af73f638a584e66193a323fc2660a566c
Instruction Fuzzy Hash: 6F7197B0B44244AADB20E766DCC2BEE77A19F41704F108167F5807B392E7B99D45878E

Function 00482050 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 004820FE

Strings

InitializeWizard, xrefs: 00482097

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 4cb1695e49b1b07e3586b425a713be07569947560fbf0fba233168fdeef3d44e
Instruction ID: b8891c381381d1a0014b65a4ce29d1dfbbdf9d421e77ac889de6892087eb3363
Opcode Fuzzy Hash: 4cb1695e49b1b07e3586b425a713be07569947560fbf0fba233168fdeef3d44e
Instruction Fuzzy Hash: BE118234205204DFD711EBA5FE96B2977E4EB55314F20143BE5008B3A1DA796C50CB6D

Function 0047C22C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C472,00000000,0047C5AC), ref: 0047C271

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C241

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 6e2d5090e95b4c6fabdd9168d7cad944b3593745ae6ad0b3bb6d2af319e0c910
Instruction ID: 70811ca8e083c9a3dbfae153db117623eb743e792d78c4ccda021ebaf15ccddc
Opcode Fuzzy Hash: 6e2d5090e95b4c6fabdd9168d7cad944b3593745ae6ad0b3bb6d2af319e0c910
Instruction Fuzzy Hash: 8EF08931B0411467DA00A5DA5C82B9E56DD8B55758F20407FF508EB253D9B99D02036C

Function 0046F0EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,004763FA,?,0049C1D0,?,0046F403,?,00000000,0046F99E,?,_is1), ref: 0046F10F

Strings

Inno Setup: Setup Version, xrefs: 0046F10D

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Value
String ID: Inno Setup: Setup Version
API String ID: 3702945584-4166306022
Opcode ID: 734ac0f1c1098741eb0e60cbf617dbc9041c5452899e61f021b18629f5aca0fc
Instruction ID: 253732d940e31991125f8b939195b5ca02eb4333684dc2ddbbcc15e62aa31341
Opcode Fuzzy Hash: 734ac0f1c1098741eb0e60cbf617dbc9041c5452899e61f021b18629f5aca0fc
Instruction Fuzzy Hash: 3BE06D713012047FD710AA6B9C85F5BBADDDF993A5F10403AB908DB392D578DD4081A8

Function 0046F15C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F7DA,?,?,00000000,0046F99E,?,_is1,?), ref: 0046F16F

Strings

NoModify, xrefs: 0046F16D

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Value
String ID: NoModify
API String ID: 3702945584-1699962838
Opcode ID: 14b653d2795b3180ab09acf432715bdcca8a399851f75d04a8bb0bb30e96b91c
Instruction ID: dfbc78ba79a393f528aadc4bccb3a1e1d52346a2df28baf9fde3d1272b39f611
Opcode Fuzzy Hash: 14b653d2795b3180ab09acf432715bdcca8a399851f75d04a8bb0bb30e96b91c
Instruction Fuzzy Hash: D8E04FB4604304BFEB04DB55DD4AF6B77ECDB48750F10415ABA04DB281E674EE00C668

Function 0047DF80 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,00000001,00000000,0047E25F,?,-0000001A,004800D8,-00000010,?,00000004,0000001B,00000000,00480425,?,0045DECC), ref: 0047DFF6

Part of subcall function 0042E32C: 73E9A570.USER32(00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB), ref: 0042E33B
Part of subcall function 0042E32C: EnumFontsA.GDI32(?,00000000,0042E318,00000000,00000000,0042E384,?,00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000), ref: 0042E366
Part of subcall function 0042E32C: 73E9A480.USER32(00000000,?,0042E38B,00000000,00000000,0042E384,?,00000000,00000000,0048048C,?,?,00000001,00000000,00000002,00000000), ref: 0042E37E

SendNotifyMessageA.USER32(000203DC,00000496,00002711,-00000001), ref: 0047E1C6

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: A480A570EnumFontsMessageNotifySend
String ID:
API String ID: 2685184028-0
Opcode ID: d5a98fd350b21412a22cf4123539bd0c298e95acb479fbe192b8033f652af546
Instruction ID: 0ea8e5e95b90053dcc80dc26f94e29a170662e2b3e10ca2db4d961c35622b213
Opcode Fuzzy Hash: d5a98fd350b21412a22cf4123539bd0c298e95acb479fbe192b8033f652af546
Instruction Fuzzy Hash: 2651A6746001508BD710FF27D9C16963799EB88308B90C6BBA8089F367C77CDD068B9D

Function 0042DC10 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DC4C
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DCBC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: dcaea444aa2693f3151e4f161b8541bd325653ac2cf38fab622dd52302d9ecee
Instruction ID: 0afc69acb925fd444515a6cbe8b6240f093bd173affdd4b5aabebdcedbe93bcc
Opcode Fuzzy Hash: dcaea444aa2693f3151e4f161b8541bd325653ac2cf38fab622dd52302d9ecee
Instruction Fuzzy Hash: E0414F71E00529ABDB11DF95D881BAFB7B8AB00714F90846AE800F7241D778AE00CBA9

Function 0042DED0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DF7C
RegCloseKey.ADVAPI32(?,0042DFED,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DFE0

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: 18687f4e18b3232f9437fac6e5314fb2332009eed5616211d6a140e10b5cd508
Instruction ID: 2fe76ac110d60e281b9c8dcd8425dafac1d5c60e45ccd2ae84570cbaedcb928d
Opcode Fuzzy Hash: 18687f4e18b3232f9437fac6e5314fb2332009eed5616211d6a140e10b5cd508
Instruction Fuzzy Hash: 52319170F04258AEDB11DFA2DD82BAEB7B9EB48304F91407BE501E7281D6785A01CA2D

Function 004527D4 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,004580B4,00000000,0045809C,?,?,?,00000000,0045284E,?,?,?,00000001), ref: 00452828
GetLastError.KERNEL32(00000000,00000000,?,?,004580B4,00000000,0045809C,?,?,?,00000000,0045284E,?,?,?,00000001), ref: 00452830

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID:
API String ID: 2919029540-0
Opcode ID: 256024ef10b7bad05e9cca563efcf05eafb457725b2bcd1ab333216967b323f1
Instruction ID: 3ad6dec6d32dc5e6ab031f6e5884ad9a987dc2d9ff381773f4694f698bcb58b9
Opcode Fuzzy Hash: 256024ef10b7bad05e9cca563efcf05eafb457725b2bcd1ab333216967b323f1
Instruction Fuzzy Hash: D3117972600208AF8B00DEADDD41DABB7ECEB4E310B10456BFD08E3201D678AE148BA4

Function 0040AFD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: 020963cbed5d1efe29b5c6b0b84e3d8c20ff6c1b4cf1f3711bef16ed23147c41
Instruction ID: 22447e907da962d806d3eb032de74b702d5affa043e15eb070a4a3d902aeafed
Opcode Fuzzy Hash: 020963cbed5d1efe29b5c6b0b84e3d8c20ff6c1b4cf1f3711bef16ed23147c41
Instruction Fuzzy Hash: 0001DF71300604AFD710FF69DC92E1B77A9DB8A718711807AF500AB7D0DA79AC0096AD

Function 0041EEB4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041EF03
73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: A5940CurrentThread
String ID:
API String ID: 2589350566-0
Opcode ID: 4f622a916fb84fb1e9f1f3e222a7611e51385d213cb7cd19795c9b5a33aefee2
Instruction ID: 3b2ca51acea6f31c20bceb620234c512699c69eae89bb1383ecfa3b3ac64bed2
Opcode Fuzzy Hash: 4f622a916fb84fb1e9f1f3e222a7611e51385d213cb7cd19795c9b5a33aefee2
Instruction Fuzzy Hash: FD013976A04604BFDB06CF6BDC1195ABBE9E789720B22887BEC04D36A0E6355810DE18

Function 00452C6C Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00452CAE
GetLastError.KERNEL32(00000000,00000000,00000000,00452CD4), ref: 00452CB6

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: 4a87794495b209091e638427933314290125c3fb15c22ae1653921e41cb98622
Instruction ID: 8cb4f6990e07c72a34a39c3d349ee9eec810a974928c7dd1f8c60ebce1e721cc
Opcode Fuzzy Hash: 4a87794495b209091e638427933314290125c3fb15c22ae1653921e41cb98622
Instruction Fuzzy Hash: D5014971B00204BB8B11DF799D414AEB7ECEB4A32531045BBFC08E3243EAB84E048558

Function 0045275C Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527BB), ref: 00452795
GetLastError.KERNEL32(00000000,00000000,00000000,004527BB), ref: 0045279D

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 638905229d0ae290751701005a3127306b10a627987a4e9871fe20b3b513e6c4
Instruction ID: 7517b5081c7c6af98826394809c6fe2d976c468da5ddf52a6f68070703836f12
Opcode Fuzzy Hash: 638905229d0ae290751701005a3127306b10a627987a4e9871fe20b3b513e6c4
Instruction Fuzzy Hash: 40F0FC71A04704AFCF00DF759D4199EB7E8DB0E715B5049B7FC14E3242E7B94E1485A8

Function 0042324C Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00423259
LoadCursorA.USER32(00000000,00000000), ref: 00423283

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
Instruction ID: c8375b04fab070422f53c3d6524130e38f027298e82d6ab835706982cf041ecc
Opcode Fuzzy Hash: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
Instruction Fuzzy Hash: 0FF0A711704114AADA105D7E6CC0E2B7268DB91B36B6103BBFA3AD72D1C62E1D41457D

Function 0042E3A4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 7795cc8daa252176d65de3d8f3118caac988bfa791d53a68a28aad838e50b78c
Instruction ID: 98bcbcc3e9aaf4c66058534b39987ccdd7eb12bd14468eaf88ad72af9e5505e3
Opcode Fuzzy Hash: 7795cc8daa252176d65de3d8f3118caac988bfa791d53a68a28aad838e50b78c
Instruction Fuzzy Hash: D5F05E70A14744BEDF119F779C6282ABAACE749B1179248B6F810A3691E67D48108928

Function 004162DA Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 004162F1
GetClassInfoA.USER32(00000000,?,?), ref: 00416301

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
Instruction ID: dc9e2acc6f173dd0cc3aa24d84b637cb0067f0ccc6b7cec6a0fcec59befe77f5
Opcode Fuzzy Hash: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
Instruction Fuzzy Hash: 22E012B26015155ADB10DB999D81EE326DCDB09310B110167BE14CA246D764DD005BA4

Function 004508E4 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,004703F1,?,00000000), ref: 004508FA
GetLastError.KERNEL32(?,00000000,?,00000002,?,?,004703F1,?,00000000), ref: 00450902

Part of subcall function 004506A0: GetLastError.KERNEL32(004504BC,00450762,?,00000000,?,004977FC,00000001,00000000,00000002,00000000,0049795D,?,?,00000005,00000000,00497991), ref: 004506A3

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 740b0e3b535324eeb3a184350110131e2b1ae31ce216053ff26069d2cbf9fe72
Instruction ID: a22a311b57bf1dff13f45894218d9c0eaf9de3d8271a2984ee0ce7717fd7efee
Opcode Fuzzy Hash: 740b0e3b535324eeb3a184350110131e2b1ae31ce216053ff26069d2cbf9fe72
Instruction Fuzzy Hash: E0E012B53042059BFB00FA6599C1F3B63DCDB44315F00447AB984CF187D674CC155B29

Function 00406274 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 00406276
GlobalLock.KERNEL32(00000000), ref: 0040627C

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Global$AllocLock
String ID:
API String ID: 15508794-0
Opcode ID: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
Instruction ID: 0263706b80ae8aebac4b2aeda69df254121a1764ed820e2db5cbcbfbef09bb73
Opcode Fuzzy Hash: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
Instruction Fuzzy Hash: 3D9002C4C10B01A4DC0432B24C0BC3F0C2CD8C072C3C0486F7018B6183883C8800083C

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9

Function 004085E4 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603

Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11

Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 2ab4847006ef9acfce6ccb5f1f64a91e8b74d27154e4f0e7901e4566ca639e1f
Instruction ID: ea6634d2ed8774f5e90a5a6f355d63bed973dafba18e0ec7d48b30ffe24ea089
Opcode Fuzzy Hash: 2ab4847006ef9acfce6ccb5f1f64a91e8b74d27154e4f0e7901e4566ca639e1f
Instruction Fuzzy Hash: C4314375E001199BCF01DF95C8819EEB7B9FF84314F15857BE815AB286E738AE018B98

Function 0041FBAC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6

Function 0046C6F8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
Part of subcall function 0041EEB4: 73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09

SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C756,?,00000000,?,?,0046C968,?,00000000,0046C9DC), ref: 0046C73A

Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$A5940CurrentEnablePathPrepareThreadWrite
String ID:
API String ID: 3104224314-0
Opcode ID: 7310e4a240e1736cfb30b9abd7a9c8d32e29debdd45fb2130da0edd2c14fc99c
Instruction ID: 552ca42e7a4f22222615ff1de8f8c20df724e6475abae56b3c63f202feb1ec23
Opcode Fuzzy Hash: 7310e4a240e1736cfb30b9abd7a9c8d32e29debdd45fb2130da0edd2c14fc99c
Instruction Fuzzy Hash: 28F0E270248300FFEB059BB2EDD6B2577E8E319716F91043BF504866D0EA795D40C96E

Function 004413A4 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 004413BB

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction ID: d0e136ad155d69288fc423feb27b218c22c44688115b59a91c3ffefc647f2292
Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction Fuzzy Hash: F0F0FF70509209DBBB1CCF54D0919AF7B71EB59310F20806FE907877A0D6346A80D759

Function 00416560 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
Instruction ID: 39ad6e161323637dbb8254467e02d50acedd081d31d6b9d15e1adfc5f54150e8
Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
Instruction Fuzzy Hash: 6EF02BB2200510AFDB84CF9CD9C0F9373ECEB0C210B0481A6FA08CF24AD220EC108BB0

Function 004149C4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Function 004507B0 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004507F0

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 838f498b19bb2aafec3be0ee987651bf511c4e6d2f63907cf4f88042037e4973
Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
Opcode Fuzzy Hash: 838f498b19bb2aafec3be0ee987651bf511c4e6d2f63907cf4f88042037e4973
Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8

Function 0042CCDC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042CD24,?,00000001,?,?,00000000,?,0042CD76,00000000,00452A11,00000000,00452A32,?,00000000), ref: 0042CD07

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a570e9d0cc49cd9ea48ac8d9958fbde071fca7bece3969a5989dcb135d147aed
Instruction ID: bebe06870d533199fa05ec681e6f815a7bc371a3e359dcca221b2f893a48d47d
Opcode Fuzzy Hash: a570e9d0cc49cd9ea48ac8d9958fbde071fca7bece3969a5989dcb135d147aed
Instruction Fuzzy Hash: 0AE06571304308BFD701EB62EC92A5EBBECD749714B914476B400D7592D5B86E008458

Function 0042E8D8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 1d16c149c237ab05d394d1dcd15bc1a2ba242a73302d35381885c392630e106f
Instruction ID: 1e04b5e42f682bd3307758a00633d1e15c64123c11c882a5e2d093d9edca25ee
Opcode Fuzzy Hash: 1d16c149c237ab05d394d1dcd15bc1a2ba242a73302d35381885c392630e106f
Instruction Fuzzy Hash: E7E0D86178432126F23524166C43B7B110E43C0704FD080267A809F3D6D6EE9949425E

Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1

Function 0042DDF4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b59592ccec0b1853c0d50eb209755673f49d30f0d63234ebc8c06611609486a1
Instruction ID: 00bf656f3cc58d957e3fc120c7d975a7f6f089e768df8f95d2ce2a55afbcf34e
Opcode Fuzzy Hash: b59592ccec0b1853c0d50eb209755673f49d30f0d63234ebc8c06611609486a1
Instruction Fuzzy Hash: 69E07EB2600119AF9B40DE8CDC81EEB37ADAB1D350F414016FA08E7200C274EC519BB4

Function 00454BE4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,000000FF,00470C14,00000000,00471A10,?,00000000,00471A59,?,00000000,00471B92,?,00000000,?,00000000), ref: 00454BFA

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: cdb9c2b7633e0d7853738bb459b1a46babdaf032508dd36dba6af5da7df12373
Instruction ID: 3c3cb6916585ff7422749358fc170cdffb6a73b651657da6609ae8be1e4b77d0
Opcode Fuzzy Hash: cdb9c2b7633e0d7853738bb459b1a46babdaf032508dd36dba6af5da7df12373
Instruction Fuzzy Hash: A7E065B0A056004BCB15DF3A858021A76D25FC5325F05C96AAC58CF397D63C84955656

Function 0041468C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(004953B6,?,004953D8,?,?,00000000,004953B6,?,?), ref: 004146AB

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Function 00406F18 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
Opcode Fuzzy Hash: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675

Function 0042365C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D

ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 6539159081c566a845655d997cb077fb8df4a929aa301bd67fb88950e555413a
Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
Opcode Fuzzy Hash: 6539159081c566a845655d997cb077fb8df4a929aa301bd67fb88950e555413a
Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC

Function 004242D4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 004242EC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8

Function 0042CD34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,004515B7,00000000), ref: 0042CD3F

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 25b3c26d3c79b78b40e0be7c0404abf70c39e9d787657ef1c43052f1caeba7d8
Instruction ID: 866207c2a99293721dc17515f5e31636ca325c5e587501d47fbe5ff4e718b97c
Opcode Fuzzy Hash: 25b3c26d3c79b78b40e0be7c0404abf70c39e9d787657ef1c43052f1caeba7d8
Instruction Fuzzy Hash: 77C08CE03222001A9A20A6BD2CC950F06CC891437A3A41F77B439E72E2D23DD8162018

Function 00466EAC Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467B94,00000000,00000000,00000000,0000000C,00000000), ref: 00466EC4

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Function 00406EC8 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 69b9da7e15ce352a50602e67f4a233c0d3270223495d3e32e43592fe9d1f4da4
Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
Opcode Fuzzy Hash: 69b9da7e15ce352a50602e67f4a233c0d3270223495d3e32e43592fe9d1f4da4
Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C

Function 00450918 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F

Part of subcall function 004506A0: GetLastError.KERNEL32(004504BC,00450762,?,00000000,?,004977FC,00000001,00000000,00000002,00000000,0049795D,?,?,00000005,00000000,00497991), ref: 004506A3

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 2f3da4ea7652235e9563b7b11f328aef08bde54833d269609cfe7e93d4b3e5df
Instruction ID: d892f33e09ba9bc7304af59ed1bd982b4427bde6cd355302a364b0e8927efaaf
Opcode Fuzzy Hash: 2f3da4ea7652235e9563b7b11f328aef08bde54833d269609cfe7e93d4b3e5df
Instruction Fuzzy Hash: 2DC04CA9300101879F00BAAE95D190663D85E583057504066B944CF207D668D8144A18

Function 004072B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,0049778A,00000000,0049795D,?,?,00000005,00000000,00497991,?,?,00000000), ref: 004072BB

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514

Function 0042E3FF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E41D), ref: 0042E410

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
Instruction ID: 55140b1eedf56d48a55774d01a07de49d55d18186a895614534630d02c3c9fff
Opcode Fuzzy Hash: 874db3389c4172aa30432ca027f259e533f636a378579170be3356e0d0ef28c9
Instruction Fuzzy Hash: D4B09B7671C6105DFB05D695745152D63D4D7C57203E14577F010D7580D53D58004D18

Function 004165FC Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

73EA5CF0.USER32(?), ref: 00416603

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58

Function 00448738 Relevance: 1.4, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c68f552ed74045d4ecaf4ea1ad1c13e781980e3dd0252519992c1da40edc52
Instruction ID: 3a42617683b163d9d3e29dc322e321d1f787465d7b697eb1a78dfeb7447b1e7e
Opcode Fuzzy Hash: f5c68f552ed74045d4ecaf4ea1ad1c13e781980e3dd0252519992c1da40edc52
Instruction Fuzzy Hash: CB518574E042099FEB01EFA9C892AAEBBF5EF49314F50417AE500E7351DB389D45CB98

Function 0047DA48 Relevance: 1.4, APIs: 1, Instructions: 150COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0047DC20,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DBDA

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 6347e2abfdb9d8760a4239e6b67e4a018abca6dee8a8eb8bc94886bd32a16ad8
Instruction ID: a4a2cf2857c8d8ea8b604d5a3bb359359cf50968c17c86877c7e7666634e0114
Opcode Fuzzy Hash: 6347e2abfdb9d8760a4239e6b67e4a018abca6dee8a8eb8bc94886bd32a16ad8
Instruction Fuzzy Hash: 79519C30A04248AFDB20DF65D8C5BAABBB8EB18304F118077E804A73A1D778AD45CB59

Function 0041F3D4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6d92aa0cb1a2d53983b86e461a62a4ce5a5a47657027c2647c88d78d486bc28e
Instruction ID: 6bd7adec2090487eae29abc1928bf57af59456791c97a49d6ef8c5917aacc84c
Opcode Fuzzy Hash: 6d92aa0cb1a2d53983b86e461a62a4ce5a5a47657027c2647c88d78d486bc28e
Instruction Fuzzy Hash: 0E1148742007069BC710DF19D880B86FBE5EB98390B10C53BE9588B385D374E8558BA9

Function 00452FB0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00453019), ref: 00452FFB

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0834ab1e0ff74d13c83467379b9d37ae80668f7e4bd4fe23633cfebca466aa95
Instruction ID: 3702fe8876d82bde104835ae14f19b545f9b4323f369928b31ff8c7c86e788f0
Opcode Fuzzy Hash: 0834ab1e0ff74d13c83467379b9d37ae80668f7e4bd4fe23633cfebca466aa95
Instruction Fuzzy Hash: 32014C356043086A8B10CF69AC004AEFBE8DB4D7217108277FC14D3382DA744E0496E4

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,00001860,00005863,00401973), ref: 00401766

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8

Function 00406F50 Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00406F51

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b938081ec37ef3dcaeb0613a6c9f19dce7446eae7aee343fbba8aa446800b67d
Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
Opcode Fuzzy Hash: b938081ec37ef3dcaeb0613a6c9f19dce7446eae7aee343fbba8aa446800b67d
Instruction Fuzzy Hash:

Non-executed Functions

Function 0041F128 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F

Strings

Ctl3dAutoSubclass, xrefs: 0041F223
Ctl3dCtlColorEx, xrefs: 0041F20E
Ctl3dDlgFramePaint, xrefs: 0041F1F9
BtnWndProc3d, xrefs: 0041F262
Ctl3dUnregister, xrefs: 0041F1BA
Ctl3dRegister, xrefs: 0041F191
Ctl3dUnAutoSubclass, xrefs: 0041F238
Ctl3DColorChange, xrefs: 0041F24D
Ctl3dSubclassCtl, xrefs: 0041F1CF
Ctl3dSubclassDlgEx, xrefs: 0041F1E4
CTL3D32.DLL, xrefs: 0041F159

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 7561659b3b600d63638f3944902fd7923d8484a487a3f9680a3db5d0744bedbe
Instruction ID: d5058fc073e0ad59750b6b6eed82d26134d8568d962b0a84cfd108907e917b52
Opcode Fuzzy Hash: 7561659b3b600d63638f3944902fd7923d8484a487a3f9680a3db5d0744bedbe
Instruction Fuzzy Hash: 8D310DB2640700EBEB01EBB9AC86A663294F728724745093FB508DB192D77C5C49CB1C

Function 0045892C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00458993
QueryPerformanceCounter.KERNEL32(02123858,00000000,00458C26,?,?,02123858,00000000,?,00459322,?,02123858,00000000), ref: 0045899C
GetSystemTimeAsFileTime.KERNEL32(02123858,02123858), ref: 004589A6
GetCurrentProcessId.KERNEL32(?,02123858,00000000,00458C26,?,?,02123858,00000000,?,00459322,?,02123858,00000000), ref: 004589AF
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458A25
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02123858,02123858), ref: 00458A33
CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458BE2), ref: 00458A7B
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00458BD1,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458BE2), ref: 00458AB4

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458B5D
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00458B93
CloseHandle.KERNEL32(000000FF,00458BD8,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458BCB

Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B

Strings

CreateProcess, xrefs: 00458B66
Starting 64-bit helper process., xrefs: 00458961
Cannot utilize 64-bit features on this version of Windows, xrefs: 00458974
CreateFile, xrefs: 00458A89
SetNamedPipeHandleState, xrefs: 00458ABD
i, xrefs: 00458B10
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 004589FB
helper %d 0x%x, xrefs: 00458B3C
CreateNamedPipe, xrefs: 00458A43
64-bit helper EXE wasn't extracted, xrefs: 00458987
D, xrefs: 00458AD6
Helper process PID: %u, xrefs: 00458BB0

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: b3cb95de96f0a494fe77a0225261b47a74f516519aada3d90b4a318c7d3773ef
Instruction ID: 46381a2ef6f5f7687f8d932114089cfc0a3b3023078b53c1614b04e084b280c9
Opcode Fuzzy Hash: b3cb95de96f0a494fe77a0225261b47a74f516519aada3d90b4a318c7d3773ef
Instruction Fuzzy Hash: 02711370A04348AEDB11DB69CC41B5EBBF8EB15705F1084BAB944FB282DB7859488B69

Function 00478420 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 0047828C: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02122BE0,?,?,?,02122BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782A5
Part of subcall function 0047828C: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004782AB
Part of subcall function 0047828C: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BE0,?,?,?,02122BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782BE
Part of subcall function 0047828C: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BE0,?,?,?,02122BE0), ref: 004782E8
Part of subcall function 0047828C: CloseHandle.KERNEL32(00000000,?,?,?,02122BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 00478306

Part of subcall function 00478364: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004783F6,?,?,?,02122BE0,?,00478458,00000000,0047856E,?,?,-00000010,?), ref: 00478394

ShellExecuteEx.SHELL32(0000003C), ref: 004784A8
GetLastError.KERNEL32(00000000,0047856E,?,?,-00000010,?), ref: 004784B1
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004784FE
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478522
CloseHandle.KERNEL32(00000000,00478553,00000000,00000000,000000FF,000000FF,00000000,0047854C,?,00000000,0047856E,?,?,-00000010,?), ref: 00478546

Strings

runas, xrefs: 00478475
ShellExecuteEx returned hProcess=0, xrefs: 004784D2
<, xrefs: 00478467
ShellExecuteEx, xrefs: 004784C2
GetExitCodeProcess, xrefs: 0047852B
MsgWaitForMultipleObjects, xrefs: 0047850B

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: 7bc79704bed3dd733a1086ace77ac7314c1c869dae30f57a13a5b111f7ab0a8e
Instruction ID: be90243bdd9c3757315ff9bbcfcad83cd6a8df60a98d136a70e83fac94f3d3e4
Opcode Fuzzy Hash: 7bc79704bed3dd733a1086ace77ac7314c1c869dae30f57a13a5b111f7ab0a8e
Instruction Fuzzy Hash: E0314670A40609BEDB11EFAAD845ADEB6B8EF05314F50847FF518E7281DB7C89058B19

Function 0042286C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: ba2239a6b7e39db5a6c256e0bd052b844ec1d952261cb85ab3a20d26880a6eee
Instruction ID: ac1ceeab966790095f9612ce7a7db5e594191b89627cdcc61fab65d1acc55ab9
Opcode Fuzzy Hash: ba2239a6b7e39db5a6c256e0bd052b844ec1d952261cb85ab3a20d26880a6eee
Instruction Fuzzy Hash: 79914071B04214BFD711EFA9DA86F9D77F4AB04314F5500BAF504AB3A2CB78AE409B58

Function 00418394 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004183A3
GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
GetWindowRect.USER32(?), ref: 004183DC
GetWindowLongA.USER32(?,000000F0), ref: 004183EA
GetWindowLongA.USER32(?,000000F8), ref: 004183FF
ScreenToClient.USER32(00000000), ref: 00418408
ScreenToClient.USER32(00000000,?), ref: 00418413

Strings

,, xrefs: 004183AC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
Opcode Fuzzy Hash: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9

Function 004555D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004555DF
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555E5
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004555FE
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455625
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045562A
ExitWindowsEx.USER32(00000002,00000000), ref: 0045563B

Strings

SeShutdownPrivilege, xrefs: 004555F7

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 905e5c4f0c040865ada5a790a5680192090f128290145b13f19b3701cccf3d3d
Instruction ID: f0f78ca649e8ddc1473c2e21848b41e7847a09c75f53dffa28e6f5675cd8c776
Opcode Fuzzy Hash: 905e5c4f0c040865ada5a790a5680192090f128290145b13f19b3701cccf3d3d
Instruction Fuzzy Hash: 32F0F670284B42B9E610AA758C13F3B21C89B40B49F80083EBD09EA1C3D7BDC80C4A2F

Function 0045D4EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D4F5
GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D505
GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D515
ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F47B,00000000,0047F4A4), ref: 0045D53A

Strings

ArcFourCrypt, xrefs: 0045D50F
ISCryptGetVersion, xrefs: 0045D4EF
ArcFourInit, xrefs: 0045D4FF

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$CryptVersion
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 1951258720-508647305
Opcode ID: 6323a5a980eb8feb456ca02504bfb6ad995229d531f09a6584140c28355fd360
Instruction ID: 2c2546d05897d0e560449e180de6b9da44e6f0241588afb6de3da162f6531889
Opcode Fuzzy Hash: 6323a5a980eb8feb456ca02504bfb6ad995229d531f09a6584140c28355fd360
Instruction Fuzzy Hash: 3AF012F0940704EBEB18DFB6BCC67623695ABD531AF14C137A404A51A2E778044CCE1D

Function 00497A74 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000,00497D90,?,?,00000000,0049B628), ref: 00497ACB
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00497B4E
FindNextFileA.KERNEL32(000000FF,?,00000000,00497B8A,?,00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000), ref: 00497B66
FindClose.KERNEL32(000000FF,00497B91,00497B8A,?,00000000,?,00000000,00497BB2,?,?,00000000,0049B628,?,00497D3C,00000000,00497D90), ref: 00497B84

Strings

isRS-???.tmp, xrefs: 00497AB5
isRS-, xrefs: 00497AEB

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: ba647548f34564e7f56f6c808fa7faec3af05a969934c2433d5159a38f0bbcda
Instruction ID: b2847bb1a44685988a55541ee7ac685ebeb66ffb5e30493f66813578f7a68db2
Opcode Fuzzy Hash: ba647548f34564e7f56f6c808fa7faec3af05a969934c2433d5159a38f0bbcda
Instruction Fuzzy Hash: A63165719146186FCF10EF65CC41ADEBBBCDB45318F5084F7A808A32A1E638AE458F58

Function 004573CC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457449
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457470
SetForegroundWindow.USER32(?), ref: 00457481
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,0045775B,?,00000000,00457797), ref: 00457746

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 004575C6

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: fe95ac23089f8abddac86e3d9ae11b4981b9e88786854755ce7e63a50dbcddc8
Instruction ID: 5bc10c0d354cae83c82450a0913647aad13fd3ad71d4eb48676ad76960377df7
Opcode Fuzzy Hash: fe95ac23089f8abddac86e3d9ae11b4981b9e88786854755ce7e63a50dbcddc8
Instruction Fuzzy Hash: D9910034608204EFD715CF54E991F5ABBF9EB89305F2180BAED0897792D638AE04DF58

Function 00455DF8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F37), ref: 00455E28
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E2E

Strings

kernel32.dll, xrefs: 00455E23
GetDiskFreeSpaceExA, xrefs: 00455E1E

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: b5f149e20a31f3d313834126475bcf244ddb8ed42aa7b007c000aa6233a22d25
Instruction ID: 12dfdd1b414f9b5fa57bb507e68127e36b1c1a940f154b23c6ee37fdedd7ee09
Opcode Fuzzy Hash: b5f149e20a31f3d313834126475bcf244ddb8ed42aa7b007c000aa6233a22d25
Instruction Fuzzy Hash: 66415171A04649AFCF01EFA5C8929EFB7B8EF49304F508566F800F7252D6785E09CB69

Function 00417CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D1F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A

Strings

,, xrefs: 00417D61

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 419626ddcb93f619c016e5eb608395eb97e33a9638738bd346f5ce49c9230b00
Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
Opcode Fuzzy Hash: 419626ddcb93f619c016e5eb608395eb97e33a9638738bd346f5ce49c9230b00
Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68

Function 00464048 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00464205), ref: 00464079
FindFirstFileA.KERNEL32(00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 00464108
FindNextFileA.KERNEL32(000000FF,?,00000000,004641BA,?,00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 0046419A
FindClose.KERNEL32(000000FF,004641C1,004641BA,?,00000000,?,00000000,004641D8,?,00000001,00000000,00464205), ref: 004641B4

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: ae980c7907389dfafffe65f94222ffd443bde6570b10391f97ae33023227fa5d
Instruction ID: 2652c2d8e8669354d55d474f1d59e7b06630ff05c6329d0403030a32038cf055
Opcode Fuzzy Hash: ae980c7907389dfafffe65f94222ffd443bde6570b10391f97ae33023227fa5d
Instruction Fuzzy Hash: 1E418770A00618AFCF10EF65DC55ADEB7B8EB89705F5044BAF804E7381E67C9E848E59

Function 004644C4 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,004646AB), ref: 00464539
FindFirstFileA.KERNEL32(00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 0046457F
FindNextFileA.KERNEL32(000000FF,?,00000000,00464658,?,00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 00464634
FindClose.KERNEL32(000000FF,0046465F,00464658,?,00000000,?,00000000,00464676,?,00000001,00000000,004646AB), ref: 00464652

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 8a1b155a3f91a4aa9fbf35308e738363c59e35d7d54ec670dc4b6b29b87b573a
Instruction ID: 7635123f594c8b6db569002a9bb01bf8fa96c74c2cf80da52efac59b167f1e7c
Opcode Fuzzy Hash: 8a1b155a3f91a4aa9fbf35308e738363c59e35d7d54ec670dc4b6b29b87b573a
Instruction Fuzzy Hash: D8416171A00A18EBCB10EFA5CC959DEB7B9EB88305F4044AAF804A7351E77C9E448E59

Function 0042E944 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E966
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E991
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E99E
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E9A6
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F2B,00000000,00452F4C), ref: 0042E9AC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: db388d08dfb8c48f2ab297580a8778080e815d8e8b0b37ff587e49df53ef3670
Instruction ID: 40e29ed62a0e901db822078ff48c294e58af048427126d47a83bbc7ee0829aa9
Opcode Fuzzy Hash: db388d08dfb8c48f2ab297580a8778080e815d8e8b0b37ff587e49df53ef3670
Instruction Fuzzy Hash: 4BF090B23A17207AF620B57A6C86F7F418CC785B68F10823BBB04FF1C1D9A85D05556D

Function 004833BC Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004833FA
GetWindowLongA.USER32(00000000,000000F0), ref: 00483418
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A4,004828DE,00482912,00000000,00482932,?,?,?,0049C0A4), ref: 0048343A
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A4,004828DE,00482912,00000000,00482932,?,?,?,0049C0A4), ref: 0048344E

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: 26f2524beb83a1697fb2f3c3d4c3f5548a09f48141019de32dcd2365822c4b68
Instruction ID: 9902e76ed030cf172564c6423cfc444f456bf65fce7539c2ce1f68efba32f602
Opcode Fuzzy Hash: 26f2524beb83a1697fb2f3c3d4c3f5548a09f48141019de32dcd2365822c4b68
Instruction Fuzzy Hash: 4D017134A452019EEB11BBA5DD8AB5B27C45F10B09F08083BB9029F2A3CB6D9D41D71C

Function 00462ABC Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00462B90), ref: 00462B14
FindNextFileA.KERNEL32(000000FF,?,00000000,00462B70,?,00000000,?,00000000,00462B90), ref: 00462B50
FindClose.KERNEL32(000000FF,00462B77,00462B70,?,00000000,?,00000000,00462B90), ref: 00462B6A

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f304b7e405ec9403326d096206e821460da1cdcff9736e6297f3d959ba5c8769
Instruction ID: 0f193a6fcf1d943c675bf75123405c31ceeb2ecab595186adb6c93933d2a98b0
Opcode Fuzzy Hash: f304b7e405ec9403326d096206e821460da1cdcff9736e6297f3d959ba5c8769
Instruction Fuzzy Hash: 7121D871904B087EDB11DF65CC51ADEBBACDB49704F5084F7E808E31A1E6BCAE44CA5A

Function 004241EC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241F4
SetActiveWindow.USER32(?,?,?,0046CFFB), ref: 00424201

Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021225AC,0042421A,?,?,?,0046CFFB), ref: 00423B5F

SetFocus.USER32(00000000,?,?,?,0046CFFB), ref: 0042422E

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
Instruction ID: 85e094fd83fda52d6ba69bb43f194f943737e29f022f28d5c3d7585fd8a6de7d
Opcode Fuzzy Hash: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
Instruction Fuzzy Hash: ECF03A717001208BDB10EFAAA8C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8

Function 00417CDE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D1F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: e9f294a83204c688928c4c422749f875b3ddc518ff0edd6358ab4a317cb2701d
Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
Opcode Fuzzy Hash: e9f294a83204c688928c4c422749f875b3ddc518ff0edd6358ab4a317cb2701d
Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8

Function 004175A8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004175D3
GetCapture.USER32 ref: 004175DC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
Instruction ID: edcb67aebd7cb7e0e4c3241a821d6ac110e093164443c601d5aebb18a23c44a8
Opcode Fuzzy Hash: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
Instruction Fuzzy Hash: A2F04F32304A028BDB21A72EC885AEB62F5DF84368B14443FE415CB765EB7CDCD58758

Function 004241A4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241AB

Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12

SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF

Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
Opcode Fuzzy Hash: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724

Function 004125E8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: c048b5060f638d2d21f70beb9f23f52c1df829a0825c59c0675cf40435b3c9a3
Instruction ID: 2af12fea25256c3ae9471bae8fd4feed52cec15eb5e351c91de8273fd3ce68b3
Opcode Fuzzy Hash: c048b5060f638d2d21f70beb9f23f52c1df829a0825c59c0675cf40435b3c9a3
Instruction Fuzzy Hash: 055106316082058FD710DB6AD681A9BF3E5FF98304B2482BBD814C7392D7B8EDA1C759

Function 004789DC Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478B2A

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 9f19c8960208bf84e0a1f031f05f2c13e84af91581ae166fbadb947181b78a5a
Instruction ID: 518aae51b6d6b411e39a58dd47dc5b2362a2c83c3bfed1ee6c3543fdde473bb3
Opcode Fuzzy Hash: 9f19c8960208bf84e0a1f031f05f2c13e84af91581ae166fbadb947181b78a5a
Instruction Fuzzy Hash: 04413775644104DFCB10CF99C6898AAB7F5FB48310B74CA9AE848DB705DB38EE41DB54

Function 0045D5A0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045D5AB

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
Instruction ID: 2e238a974be0c8424367b3c35ccc205e7f0a308c5ec670be841bb4718b7179ff
Opcode Fuzzy Hash: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
Instruction Fuzzy Hash: 37C09BF200420CBF660057D5ECC9C77B75CF6586547508126F6048210195726C104574

Function 0045D5B8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DDBC,?,0046DF9D), ref: 0045D5BE

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
Instruction ID: 227689971defb3a768f182aa15824e3680876923b4d994b81e1676941902ce31
Opcode Fuzzy Hash: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
Instruction Fuzzy Hash: 9DA002B0A80300BAFD2057B05D4EF26352CA7D0F05F708465B202EA0D085A56410852C

Function 10001130 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3386673933.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.3386653827.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3386694535.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2

Function 10001000 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3386673933.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.3386653827.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3386694535.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction Fuzzy Hash:

Function 0044B668 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B614: GetVersionExA.KERNEL32(00000094), ref: 0044B631

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F785,004985C2), ref: 0044B68F
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B6A7
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6B9
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6CB
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6DD
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6EF
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B701
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B713
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B725
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B737
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B749
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B75B
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B76D
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B77F
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B791
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B7A3
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7B5
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7C7
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7D9
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7EB
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7FD
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B80F
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B821
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B833
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B845
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B857
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B869
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B87B
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B88D
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B89F
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8B1
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8C3
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8D5
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8E7
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8F9
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B90B
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B91D
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B92F
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B941
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B953
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B965
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B977
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B989
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B99B
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B9AD
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9BF
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9D1
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9E3

Strings

CloseThemeData, xrefs: 0044B6B1
GetThemeSysSize, xrefs: 0044B8DF
GetThemeEnumValue, xrefs: 0044B807
GetThemeColor, xrefs: 0044B7AD
GetThemeTextMetrics, xrefs: 0044B72F
SetWindowTheme, xrefs: 0044B885
GetThemeSysColor, xrefs: 0044B8A9
IsThemeActive, xrefs: 0044B927
GetThemeFont, xrefs: 0044B82B
DrawThemeIcon, xrefs: 0044B777
GetThemeSysInt, xrefs: 0044B915
GetThemeBool, xrefs: 0044B7E3
GetThemeAppProperties, xrefs: 0044B981
GetThemePropertyOrigin, xrefs: 0044B873
DrawThemeParentBackground, xrefs: 0044B9C9
IsThemePartDefined, xrefs: 0044B789
EnableThemeDialogTexture, xrefs: 0044B95D
EnableTheming, xrefs: 0044B9DB
DrawThemeText, xrefs: 0044B6D5
GetThemeBackgroundRegion, xrefs: 0044B741
IsAppThemed, xrefs: 0044B939
GetThemeTextExtent, xrefs: 0044B71D
GetThemeMargins, xrefs: 0044B84F
GetThemeSysColorBrush, xrefs: 0044B8BB
GetThemeDocumentationProperty, xrefs: 0044B9B7
IsThemeBackgroundPartiallyTransparent, xrefs: 0044B79B
SetThemeAppProperties, xrefs: 0044B993
GetThemeString, xrefs: 0044B7D1
GetThemeIntList, xrefs: 0044B861
GetThemeSysString, xrefs: 0044B903
DrawThemeBackground, xrefs: 0044B6C3
GetThemeMetric, xrefs: 0044B7BF
HitTestThemeBackground, xrefs: 0044B753
GetThemeRect, xrefs: 0044B83D
GetThemeInt, xrefs: 0044B7F5
GetThemeBackgroundContentRect, xrefs: 0044B6E7, 0044B6F9
DrawThemeEdge, xrefs: 0044B765
GetThemePosition, xrefs: 0044B819
GetThemeSysFont, xrefs: 0044B8F1
GetCurrentThemeName, xrefs: 0044B9A5
uxtheme.dll, xrefs: 0044B68A
OpenThemeData, xrefs: 0044B69F
GetWindowTheme, xrefs: 0044B94B
GetThemeSysBool, xrefs: 0044B8CD
GetThemeFilename, xrefs: 0044B897
GetThemePartSize, xrefs: 0044B70B
IsThemeDialogTextureEnabled, xrefs: 0044B96F

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 1968650500-2910565190
Opcode ID: 0c8e19753f2f8210615bc5a5f26c821a667ede831694cf2c59d6b62027e60e29
Instruction ID: 346aa6b979044c2d6f95573bc57da9b6801dc261a15d858c7a91061cf3dc2738
Opcode Fuzzy Hash: 0c8e19753f2f8210615bc5a5f26c821a667ede831694cf2c59d6b62027e60e29
Instruction Fuzzy Hash: CC91E7B0A40B50EBEF00EBF5ADC6A2637A8EB15B14714467BB444EF295D778D800CF99

Function 00458184 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237filesynchronizationprocessCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00499B18,00000001,00000000,00000000,004584B9,?,?,?,00000001,?,004586D3,00000000,004586E9,?,00000000,0049B628), ref: 004581D1
CreateFileMappingA.KERNEL32(000000FF,00499B18,00000004,00000000,00002018,00000000), ref: 00458209
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045848F,?,00499B18,00000001,00000000,00000000,004584B9,?,?,?), ref: 00458230
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045833D
ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045848F,?,00499B18,00000001,00000000,00000000,004584B9), ref: 00458295

Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B

CloseHandle.KERNEL32(004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458354
WaitForSingleObject.KERNEL32(00000000,000000FF,004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045838D
GetLastError.KERNEL32(00000000,000000FF,004586D3,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045839F
UnmapViewOfFile.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458471
CloseHandle.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458480
CloseHandle.KERNEL32(00000000,00458496,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00458489

Strings

_isetup\_RegDLL.tmp, xrefs: 004582BB
LoadLibrary, xrefs: 004583EB
Spawning _RegDLL.tmp, xrefs: 004581B0
CreateProcess, xrefs: 00458346
REGDLL returned unknown result code %d, xrefs: 00458450
CreateFileMapping, xrefs: 00458217
D, xrefs: 004582FE
ReleaseMutex, xrefs: 0045829E
MapViewOfFile, xrefs: 0045823E
REGDLL failed with exit code 0x%x, xrefs: 0045837D
GetProcAddress, xrefs: 004583FD
CreateMutex, xrefs: 004581DF
OleInitialize, xrefs: 004583D9
REGDLL mutex wait failed (%d, %d), xrefs: 004583B3
_RegDLL.tmp %u %u, xrefs: 004582E5

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
API String ID: 4012871263-351310198
Opcode ID: cc7ad6ccf5233eaebe813f6a5333062681ccb791baa3dad4f168156cebafbadf
Instruction ID: 29107a7cf73729034b65a1fcaaf08eab05738b19563c620e852bf3134b102344
Opcode Fuzzy Hash: cc7ad6ccf5233eaebe813f6a5333062681ccb791baa3dad4f168156cebafbadf
Instruction Fuzzy Hash: 46914170A002099BDB10EFA9C845B9EB7B4EB05305F50856FED14FB283DF7899498F69

Function 0041CA1C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
73EA4C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
73EA6180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
73EA4C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
73EA4C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
73E98830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
73E922A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
73EA4D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
SelectObject.GDI32(00000000,?), ref: 0041CBFE
DeleteDC.GDI32(00000000), ref: 0041CC14

Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Color$ObjectSelect$E922E98830Text$A570A6180DeleteFillRect
String ID:
API String ID: 1952589944-0
Opcode ID: adf6567a18e9830f1830aa63917bca934ba6755201e08534c76e5c919bac5cde
Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
Opcode Fuzzy Hash: adf6567a18e9830f1830aa63917bca934ba6755201e08534c76e5c919bac5cde
Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68

Function 00497DA0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000,?,004984EF,00000000,004984F9,?,00000000), ref: 00497E23
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000,?,004984EF,00000000), ref: 00497E36
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000,00000000), ref: 00497E46
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00497E67
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498138,?,?,00000000,?,00000000), ref: 00497E77

Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,0045606A,00000000,004560D2), ref: 0042D491

Strings

/REGU, xrefs: 00497DF9
/REG, xrefs: 00497DD5
Setup, xrefs: 00497E0F
.lst, xrefs: 00497EB4
Inno-Setup-RegSvr-Mutex, xrefs: 00497E2D
.msg, xrefs: 00497E9A

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: 082597774f549eda738f03d74d98f9d52f67cfbc56a945ed8bd031ee0c63b3f6
Instruction ID: d71e95358f961f9c8085103628ed7ebfe7aaf39cab9d6a0a027eda6f41515cae
Opcode Fuzzy Hash: 082597774f549eda738f03d74d98f9d52f67cfbc56a945ed8bd031ee0c63b3f6
Instruction Fuzzy Hash: C291B530A042449FDF11EBA9DC52BAE7FA4EF4A304F51447BF500AB292DA7DAC05CB59

Function 0045AA3C Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045ACF8,?,?,?,?,?,00000006,?,00000000,0049722D,?,00000000,004972D0), ref: 0045ABAA

Strings

.hlp, xrefs: 0045AA73
The file appears to be in use (%d). Will delete on restart., xrefs: 0045ABF3
Failed to strip read-only attribute., xrefs: 0045AB8F
Failed to delete the file; it may be in use (%d)., xrefs: 0045AC99
.gid, xrefs: 0045AA8C
.lnk, xrefs: 0045AB17
Stripped read-only attribute., xrefs: 0045AB83
.chw, xrefs: 0045AAF1
.fts, xrefs: 0045AAB0
Deleting file: %s, xrefs: 0045AB49
.chm, xrefs: 0045AAD8

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: c66920e5c30c99cf277918279cba3cc6becf5feca79c3c8df3d973bfdf2d3f66
Instruction ID: f5e388fb48f96f1c0466849e1c52bdf0d536658550fb6e74c3a20cf80cd44526
Opcode Fuzzy Hash: c66920e5c30c99cf277918279cba3cc6becf5feca79c3c8df3d973bfdf2d3f66
Instruction Fuzzy Hash: 2271AE707002445BDB01EB69D8427AE77A6AF48316F50856BFC01DB383CA7C9A5DC79A

Function 0045CF24 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045CF3E
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CF5E
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CF6B
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CF78
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CF86

Part of subcall function 0045CE2C: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CECB,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CEA5

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D179,?,?,00000000), ref: 0045D03F
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D179,?,?,00000000), ref: 0045D048

Strings

GetNamedSecurityInfoW, xrefs: 0045CF65
SetNamedSecurityInfoW, xrefs: 0045CF72
advapi32.dll, xrefs: 0045CF59
SetEntriesInAclW, xrefs: 0045CF80
W, xrefs: 0045D056

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: 0692e2fed8a1faf7364eaae3f9f0a99faa4aa2306d0b5476e4b0968c8b8ae958
Instruction ID: 4ce31bb81caf279f5ed3d10c62bb09a2aad5f6c7ba3f26a8019cd68bbbdcec0a
Opcode Fuzzy Hash: 0692e2fed8a1faf7364eaae3f9f0a99faa4aa2306d0b5476e4b0968c8b8ae958
Instruction Fuzzy Hash: E95193B1D00608EFDB10DFA9C845BAEBBB8EF48315F14806AF915B7381C2389945CF69

Function 00456550 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 282comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,0045688D), ref: 00456592
CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,0045688D), ref: 004565B8
SysFreeString.OLEAUT32(?), ref: 00456745

Strings

IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004567B6
IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004566A7
IPersistFile::Save, xrefs: 00456814
CoCreateInstance, xrefs: 004565C3
IPropertyStore::Commit, xrefs: 00456795
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045677C
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004566DB
IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 0045672A

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CreateInstance$FreeString
String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
API String ID: 308859552-3936712486
Opcode ID: 7d0cfd58331e70c95d7e52b395728c42337191576a3ec6130da080a3535e9fef
Instruction ID: c99fdec92309fd26656a6f7ea9bd91ecf5cc306c054acb75a5569a06f28a4b2e
Opcode Fuzzy Hash: 7d0cfd58331e70c95d7e52b395728c42337191576a3ec6130da080a3535e9fef
Instruction Fuzzy Hash: 29A13E71A00104AFDB50EFA9C885B9E7BF8EF09706F55406AF804E7252DB38DD48CB69

Function 0041B3BC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

73EA4C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
73EA4C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
73EA6180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
73E9A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
73EA4C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
73E9A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
SelectObject.GDI32(00000000,?), ref: 0041B480
SelectObject.GDI32(?,00000000), ref: 0041B48F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
SelectObject.GDI32(?,00000000), ref: 0041B4D7
DeleteDC.GDI32(00000000), ref: 0041B4E0
DeleteDC.GDI32(?), ref: 0041B4E9

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Object$Select$Delete$A480A570A6180Stretch
String ID:
API String ID: 1888863034-0
Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4

Function 00472DB8 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON

Download Yara Rule

APIs

Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472F70
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00473077
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0047308D
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004730B2

Strings

.pif, xrefs: 00472E67, 00472FFB
target.lnk, xrefs: 004730FC
.lnk, xrefs: 00472E44
.url, xrefs: 00472E8A
Desktop.ini, xrefs: 00473133
Filename: %s, xrefs: 00472F12
{group}\, xrefs: 00472E12

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 971782779-3668018701
Opcode ID: 0d90696b7f394c24cdb4db4d6ef42549a737ff1f83f29ed15b4b10dbb48a3fc8
Instruction ID: 1ded2309c22d90a9957aabde76cedeacc99048359e90752decbb9b8a0015ab1b
Opcode Fuzzy Hash: 0d90696b7f394c24cdb4db4d6ef42549a737ff1f83f29ed15b4b10dbb48a3fc8
Instruction Fuzzy Hash: 8FD12574A00149AFDB01EFA9D581BDDBBF5AF08305F50806AF804B7392D778AE45CB69

Function 00454860 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,?,00000000,?,00000000,00454AF9,?,0045AECE,00000003,00000000,00000000,00454B30), ref: 00454979

Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7

RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,00000000,?,00000004,00000000,00454A43,?,0045AECE,00000000,00000000,?,00000000,?,00000000), ref: 004549FD
RegQueryValueExA.ADVAPI32(0045AECE,00000000,00000000,00000000,?,00000004,00000000,00454A43,?,0045AECE,00000000,00000000,?,00000000,?,00000000), ref: 00454A2C

Strings

, xrefs: 004548EA
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548D0
RegOpenKeyEx, xrefs: 004548FC
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454897

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: 77e820d85456ec5b21a3348e7c864f635890ca9680278173730b6b5baa6068b5
Instruction ID: 44bd6ba1492406805f437c97fe518088f2f8e7c1bef0b67c8a01139b77ca8c69
Opcode Fuzzy Hash: 77e820d85456ec5b21a3348e7c864f635890ca9680278173730b6b5baa6068b5
Instruction Fuzzy Hash: C0911471944248ABDB10DFE5D942BDEB7FCEB48309F50406BF900FB282D6789E458B69

Function 004597BC Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004596C8: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459805,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459715

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459863
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 004598CD

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459934

Strings

.NET Framework not found, xrefs: 00459981
v4.0.30319, xrefs: 00459855
v1.1.4322, xrefs: 00459926
v2.0.50727, xrefs: 004598BF
.NET Framework version %s not found, xrefs: 0045996D
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459816
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004598E7
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459880

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: a27e16b2435ffffe3ed3affd436a97f5188f93bd827438211cc6c054a476643b
Instruction ID: 729b419896cd5506e065475e0ee5015c208a67e93f4f54458093df2d8724af3d
Opcode Fuzzy Hash: a27e16b2435ffffe3ed3affd436a97f5188f93bd827438211cc6c054a476643b
Instruction Fuzzy Hash: 0051A030A04145EBCB04DFA9C8A1BEE77B69B59305F54447FA841DB393D63D9E0E8B18

Function 00458DA8 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00458DDF
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458DFB
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458E09
GetExitCodeProcess.KERNEL32(?), ref: 00458E1A
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458E61
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458E7D

Strings

Stopping 64-bit helper process. (PID: %u), xrefs: 00458DD1
Helper process exited., xrefs: 00458E29
Helper process exited, but failed to get exit code., xrefs: 00458E53
Helper process exited with failure code: 0x%x, xrefs: 00458E47
Helper isn't responding; killing it., xrefs: 00458DEB

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: e1e6f1a428ddc606cbac7e5be58ccbeaead76fc5c320782193580adc03ed748c
Instruction ID: b06cb4cb11178ece3cea1db1bc2ca69ea432733d5239d7d0987fb8f0d427a68f
Opcode Fuzzy Hash: e1e6f1a428ddc606cbac7e5be58ccbeaead76fc5c320782193580adc03ed748c
Instruction Fuzzy Hash: D9216D706047009AD720E679C44275BB6E59F08709F04CC2FB999EB293DF78E8488B2A

Function 00454514 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DDF4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546EB,?,00000000,004547AF), ref: 0045463B
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546EB,?,00000000,004547AF), ref: 00454777

Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0045325F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7

Strings

, xrefs: 0045459D
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454553
RegCreateKeyEx, xrefs: 004545AF
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454583

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: a579990beb4c9b51ec5b3fea0749880c5f06a70a884d2fa71269d98e88c3cf61
Instruction ID: a200d9e45076b9aa1c9026ee470310bfc0f5ccdb1a8093a9a555fb12639cba12
Opcode Fuzzy Hash: a579990beb4c9b51ec5b3fea0749880c5f06a70a884d2fa71269d98e88c3cf61
Instruction Fuzzy Hash: 6C81DE75A00209AFDB00DFD5C941BDFB7F9EB49309F50442AE901FB282D7789A45CB69

Function 00496620 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004538A8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 00453997
Part of subcall function 004538A8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 004539A7

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0049669D
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004967F1), ref: 004966BE
CreateWindowExA.USER32(00000000,STATIC,00496800,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004966E5
SetWindowLongA.USER32(?,000000FC,00495E78), ref: 004966F8
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000,STATIC,00496800), ref: 00496728
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0049679C
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000), ref: 004967A8

Part of subcall function 00453D1C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E03

73EA5CF0.USER32(?,004967CB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004967C4,?,?,000000FC,00495E78,00000000,STATIC), ref: 004967BE

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 00496757
STATIC, xrefs: 004966DE

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 170458502-2312673372
Opcode ID: c09fb920bc7669bd65d78bc4791726942d010f86c1ff051557e4c77676e60077
Instruction ID: 3fac7199250898b77632ea887e905273a0ca2a52c1bf25bf17bddf130f7f486a
Opcode Fuzzy Hash: c09fb920bc7669bd65d78bc4791726942d010f86c1ff051557e4c77676e60077
Instruction Fuzzy Hash: EE413D70A44208AFDF01EFA5DC42F9E7BB8EB09714F61457AF500F7291D6799E008BA8

Function 0042E428 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047E1E8,00000000), ref: 0042E451
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E457
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047E1E8,00000000), ref: 0042E4A5

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0042E4B4
Locale, xrefs: 0042E494
GetUserDefaultUILanguage, xrefs: 0042E447
.DEFAULT\Control Panel\International, xrefs: 0042E47C
kernel32.dll, xrefs: 0042E44C
=aE, xrefs: 0042E4E7, 0042E4EF, 0042E4FA, 0042E51C

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$=aE$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-1003587384
Opcode ID: 71ec1778410e517379c49e62a4abf791b893e005234a700e60dfa1d7d317b6f8
Instruction ID: 6214d84d9e891aa165dd1588e79579c1e4a82babed7fc21810c195be89e1891e
Opcode Fuzzy Hash: 71ec1778410e517379c49e62a4abf791b893e005234a700e60dfa1d7d317b6f8
Instruction Fuzzy Hash: 65215230B10219ABCB10EAE7DC45A9E77A8EB04318FA04877A500E7281EB7CDE41CA5C

Function 00462D5C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00462D68
GetModuleHandleA.KERNEL32(user32.dll), ref: 00462D7C
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462D89
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462D96
GetWindowRect.USER32(?,00000000), ref: 00462DE2
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462E20

Strings

(, xrefs: 00462DC1
GetMonitorInfoA, xrefs: 00462D90
user32.dll, xrefs: 00462D77
MonitorFromWindow, xrefs: 00462D83

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 07f038a1b45edca227de97dbc4e3a49cc5475e4390ab333f174a5f731d21d9c4
Instruction ID: 308e9426e96dcd15a0811dc773674cbbce9379ede84ac64ebea6e7762974983c
Opcode Fuzzy Hash: 07f038a1b45edca227de97dbc4e3a49cc5475e4390ab333f174a5f731d21d9c4
Instruction Fuzzy Hash: 8421A775701B046FD3019A64DD41F3B3395DB94714F08453AF944EB381E6B9EC018A9A

Function 0042F198 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F1A4
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1B8
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1C5
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1D2
GetWindowRect.USER32(?,00000000), ref: 0042F21E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F25C

Strings

user32.dll, xrefs: 0042F1B3
MonitorFromWindow, xrefs: 0042F1BF
GetMonitorInfoA, xrefs: 0042F1CC
(, xrefs: 0042F1FD

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: fc179306045cef01cc7feea5ef12c7621bc9e212612d9656ab7fba5f67810d88
Instruction ID: f96f766bc13e38d455a6b30724ea53c80225cfaaeacd9570d6dca051b777ffc7
Opcode Fuzzy Hash: fc179306045cef01cc7feea5ef12c7621bc9e212612d9656ab7fba5f67810d88
Instruction Fuzzy Hash: 3221D7797057149BD300D664ED81F3B33A4DB85B14F88457AF944DB381D679EC044BA9

Function 00458F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045915F,?,00000000,004591C2,?,?,02123858,00000000), ref: 00458FDD
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,004590F4,?,00000000,00000001,00000000,00000000,00000000,0045915F), ref: 0045903A
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,004590F4,?,00000000,00000001,00000000,00000000,00000000,0045915F), ref: 00459047
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00459093
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,004590CD,?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,004590F4,?,00000000), ref: 004590B9
GetLastError.KERNEL32(?,?,00000000,00000001,004590CD,?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,004590F4,?,00000000), ref: 004590C0

Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B

Strings

CreateEvent, xrefs: 00458FEB
TransactNamedPipe, xrefs: 00459053

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: 1e3f92d8c22a05294e06b5c780760953f793dd62cf34ae2b617d69319ed8131f
Instruction ID: 50fb7c1009465aa7c5405e125e9101384e11cc4d6b330c20a7fc1de2f8ccdd80
Opcode Fuzzy Hash: 1e3f92d8c22a05294e06b5c780760953f793dd62cf34ae2b617d69319ed8131f
Instruction Fuzzy Hash: 68417F71A00608EFDB15DF99C985F9EB7F9EB08714F1044AAF904E72D2C6789E44CB28

Function 00456B58 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456CBD,?,?,00000031,?), ref: 00456B80
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456B86
LoadTypeLib.OLEAUT32(00000000,?), ref: 00456BD3

Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B

Strings

ITypeLib::GetLibAttr, xrefs: 00456C09
UnRegisterTypeLib, xrefs: 00456C3F
UnRegisterTypeLib, xrefs: 00456B76
OLEAUT32.DLL, xrefs: 00456B7B
GetProcAddress, xrefs: 00456B93
LoadTypeLib, xrefs: 00456BDE

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 1f12b3bfc7457beb1676229d9a9ac5705a2be6c49cf36285249ab65db7443b7f
Instruction ID: a27b950e9f8baa5d3fd7d83d3f5f0f06fd95d714c0010da27a3b0cf72a10e13f
Opcode Fuzzy Hash: 1f12b3bfc7457beb1676229d9a9ac5705a2be6c49cf36285249ab65db7443b7f
Instruction Fuzzy Hash: AB319471B00604AFDB12EFAACC41D5BB7BDEB897557528466FC04D7252DA38DD04CB28

Function 00416D90 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00416E23
SaveDC.GDI32(?), ref: 00416E37
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
RestoreDC.GDI32(?,?), ref: 00416E75
CreateSolidBrush.GDI32(00000000), ref: 00416EF5
FrameRect.USER32(?,?,?), ref: 00416F28
DeleteObject.GDI32(?), ref: 00416F32
CreateSolidBrush.GDI32(00000000), ref: 00416F42
FrameRect.USER32(?,?,?), ref: 00416F75
DeleteObject.GDI32(?), ref: 00416F7F

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: e9e72d8966bdaf80817d84d11445bcfe7b70581a29c6dab9ad28bd9778771da1
Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
Opcode Fuzzy Hash: e9e72d8966bdaf80817d84d11445bcfe7b70581a29c6dab9ad28bd9778771da1
Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 004221F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00422243
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 510ebc35eb44907ae1e975f945bfd8864758d272309f2385250dfef8029dc5ab
Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
Opcode Fuzzy Hash: 510ebc35eb44907ae1e975f945bfd8864758d272309f2385250dfef8029dc5ab
Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C

Function 004812DC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(10000000), ref: 00481499
FreeLibrary.KERNEL32(03100000), ref: 004814AD
SendNotifyMessageA.USER32(000203DC,00000496,00002710,00000000), ref: 0048151F

Strings

Not restarting Windows because Setup is being run from the debugger., xrefs: 004814CE
Deinitializing Setup., xrefs: 004812FA
GetCustomSetupExitCode, xrefs: 00481339
Restarting Windows., xrefs: 004814FA
DeinitializeSetup, xrefs: 00481395

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: cfffdee43b38d7813a81b11c3b84a740b2c32b2c8dbaa0def3367d9992a49e61
Instruction ID: fb8259b883485ef9100c7f5c1e95e74d54582b152ce66d5af1bc00326fba4159
Opcode Fuzzy Hash: cfffdee43b38d7813a81b11c3b84a740b2c32b2c8dbaa0def3367d9992a49e61
Instruction Fuzzy Hash: 4451A034704240AFD711EB69D895B2E7BE9FB59704F50887BE801C72B1DB38A846CB5D

Function 004619F8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00461A33
GetActiveWindow.USER32 ref: 00461A97
CoInitialize.OLE32(00000000), ref: 00461AAB
SHBrowseForFolder.SHELL32(?), ref: 00461AC2
CoUninitialize.OLE32(00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AD7
SetActiveWindow.USER32(?,00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AED
SetActiveWindow.USER32(?,?,00461B03,00000000,?,?,?,?,?,00000000,00461B87), ref: 00461AF6

Strings

A, xrefs: 00461A6B

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
String ID: A
API String ID: 2684663990-3554254475
Opcode ID: 6bf2c69099c90f86a267e24c634b690acb1506b8ce1301c413aa044d63ad6a36
Instruction ID: 1302daae15839a874164301860301a8b98b45f7dd6f96d3c0913b4bd506695dd
Opcode Fuzzy Hash: 6bf2c69099c90f86a267e24c634b690acb1506b8ce1301c413aa044d63ad6a36
Instruction Fuzzy Hash: 64314FB0E00248AFDB00EFE6D885A9EBBF8EB09304F51447AF404E7251E7785A44CF59

Function 00472C68 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000,?,00472F85,?,?,00000000,004731F4), ref: 00472C8C

Part of subcall function 0042CDA4: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE1A

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000,?,00472F85), ref: 00472D03
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472D29,?,?,?,00000008,00000000,00000000,00000000), ref: 00472D09

Strings

.ShellClassInfo, xrefs: 00472CBB
CLSID2, xrefs: 00472CB6
{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 00472CC5
desktop.ini, xrefs: 00472CA0
target.lnk, xrefs: 00472CE1

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: e52ff7fc8aad4532f2121d8bd5e8e7392c558ff45c5d59df65582d72ab666be0
Instruction ID: a2498b92200520dbea2b626460b71344a260e4c3afc9e0684e621ff8b49742b9
Opcode Fuzzy Hash: e52ff7fc8aad4532f2121d8bd5e8e7392c558ff45c5d59df65582d72ab666be0
Instruction Fuzzy Hash: 731122303005087BD721EA66DD82B9E73ACCB88714F60853BB404B72D1CB7CEE02865C

Function 0045D618 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(03100000,inflateInit_), ref: 0045D621
GetProcAddress.KERNEL32(03100000,inflate), ref: 0045D631
GetProcAddress.KERNEL32(03100000,inflateEnd), ref: 0045D641
GetProcAddress.KERNEL32(03100000,inflateReset), ref: 0045D651

Strings

inflateReset, xrefs: 0045D64B
inflateInit_, xrefs: 0045D61B
inflateEnd, xrefs: 0045D63B
inflate, xrefs: 0045D62B

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: fd665f86a4c397101f291ae51b8d6e2550680f8309e6d6ef8ebab45c29bb7339
Instruction ID: 6d5035e3426567f523c7c0f539c0fc89aa7e9857b83a97dd2a4ec5b9764e3533
Opcode Fuzzy Hash: fd665f86a4c397101f291ae51b8d6e2550680f8309e6d6ef8ebab45c29bb7339
Instruction Fuzzy Hash: 0D01ECB0900740DEEB24DFB6ACC572236A5ABA470AF14C13B980DD62A2D779044ADF2C

Function 0041A8EC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041A9C9
73EA4D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
SetBkColor.GDI32(?,?), ref: 0041AA18
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
SetBkColor.GDI32(00000000,?), ref: 0041AAD3

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: 318b750f44eee03e3b20258c50c4ae641761c2031fb7fe23ccccef054dc028d8
Instruction ID: 0e7efefeb240adcf91359f1fba61dc18d1efd34d50a4dd97ee32c9a960060edb
Opcode Fuzzy Hash: 318b750f44eee03e3b20258c50c4ae641761c2031fb7fe23ccccef054dc028d8
Instruction Fuzzy Hash: 9861C5B5A00105EFCB40EFADD985E9AB7F8AF08314B10856AF918DB261C735ED41CF68

Function 00457F00 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004580B4,?, /s ",?,regsvr32.exe",?,004580B4), ref: 00458026

Strings

regsvr32.exe", xrefs: 00457F47
Spawning 64-bit RegSvr32: , xrefs: 00457F8B
CreateProcess, xrefs: 00458018
0x%x, xrefs: 00458049
Spawning 32-bit RegSvr32: , xrefs: 00457FAD
/s ", xrefs: 00457F6F
D, xrefs: 00457FDC
/u, xrefs: 00457F62

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 55f146e1ef8f4e902545c9b8fd40e77843967da88cee367bff3e11b3e7507cae
Instruction ID: 809e342f07c36c5fe80e3456e65159aecd70c9e1b429d99a18f855550af0e9f5
Opcode Fuzzy Hash: 55f146e1ef8f4e902545c9b8fd40e77843967da88cee367bff3e11b3e7507cae
Instruction Fuzzy Hash: 97411570A043086BDB10EFD5D842B8EF7B9AB49705F51407FA904BB292DF789A0D8B19

Function 0044D188 Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044D1B9
GetSysColor.USER32(00000014), ref: 0044D1C0
SetTextColor.GDI32(00000000,00000000), ref: 0044D1D8
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D201
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D20B
GetSysColor.USER32(00000010), ref: 0044D212
SetTextColor.GDI32(00000000,00000000), ref: 0044D22A
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D253
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D27E

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 0dad7e536888b1c395f42d34690ba7b0fa2f949a96348ff67bbd6a991a2663e5
Instruction ID: 3cb6cff9cb4fe1f97db5fca9cf7ecf77bacdc285bba155e9e6a5fbb2dce94e66
Opcode Fuzzy Hash: 0dad7e536888b1c395f42d34690ba7b0fa2f949a96348ff67bbd6a991a2663e5
Instruction Fuzzy Hash: 4921CFB42015007FC710FB6ACD8AE8B7BDCDF19319B01857AB918EB393C678DD408669

Function 0041B67C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B755
73E9A570.USER32(?), ref: 0041B761
73E98830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
73E98830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804

Strings

k H, xrefs: 0041B684

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: E98830$A570A6310E922Focus
String ID: k H
API String ID: 184897721-1447039187
Opcode ID: 4650e7e3a4975632b128e642f4d75ab8ab1f3030e92489ac81d42ae66184f42b
Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
Opcode Fuzzy Hash: 4650e7e3a4975632b128e642f4d75ab8ab1f3030e92489ac81d42ae66184f42b
Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9

Function 0041B94C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BA27
73E9A570.USER32(?), ref: 0041BA33
73E98830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
73E98830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1

Strings

k H, xrefs: 0041B954

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: E98830$A570A6310E922Focus
String ID: k H
API String ID: 184897721-1447039187
Opcode ID: 69b514878c6882b8832b1f329327574619d6a3e89a85ba6a4f0b9ad1becc3db2
Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
Opcode Fuzzy Hash: 69b514878c6882b8832b1f329327574619d6a3e89a85ba6a4f0b9ad1becc3db2
Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4

Function 00495EC4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00450918: SetEndOfFile.KERNEL32(?,?,0045C6A6,00000000,0045C831,?,00000000,00000002,00000002), ref: 0045091F

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

GetWindowThreadProcessId.USER32(00000000,?), ref: 00495F55
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00495F69
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00495F83
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495F8F
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495F95
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495FA8

Strings

Deleting Uninstall data files., xrefs: 00495ECB

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: 23da1316c50969bb810f13416529c5ad46a4d90d4c3b6db3608d618ecf590902
Instruction ID: fec72cc46ef3efd5c3c8e8a450f489c3c08d507a48e2b84f6ee45df75d5b7e94
Opcode Fuzzy Hash: 23da1316c50969bb810f13416529c5ad46a4d90d4c3b6db3608d618ecf590902
Instruction Fuzzy Hash: 34219571304610AFEB11EB75ECC2B2637A8EB54338F61053BF504DA1E6D678AC008B1D

Function 004704A4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004705A1,?,?,?,?,00000000), ref: 0047050B
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004705A1), ref: 00470522
AddFontResourceA.GDI32(00000000), ref: 0047053F
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00470553

Strings

Failed to open Fonts registry key., xrefs: 00470529
Failed to set value in Fonts registry key., xrefs: 00470514
AddFontResource, xrefs: 0047055D

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: 2b4b64eddd1924655c58b9871aff7fb9a4f934a6e6bff31d8454543361526e14
Instruction ID: 66ce3b01f7eb708e2302e7809b1ea03697ff66c32de1c99646f3643d23023453
Opcode Fuzzy Hash: 2b4b64eddd1924655c58b9871aff7fb9a4f934a6e6bff31d8454543361526e14
Instruction Fuzzy Hash: 62216570741204BBDB10EA669C42FAE779D9B55708F50843BB904EB3C2D67CDE028A5D

Function 0046319C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE

GetVersion.KERNEL32 ref: 004631CC
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0046320A
SHGetFileInfo.SHELL32(004632A8,00000000,?,00000160,00004011), ref: 00463227
LoadCursorA.USER32(00000000,00007F02), ref: 00463245
SetCursor.USER32(00000000,00000000,00007F02,004632A8,00000000,?,00000160,00004011), ref: 0046324B
SetCursor.USER32(?,0046328B,00007F02,004632A8,00000000,?,00000160,00004011), ref: 0046327E

Strings

Explorer, xrefs: 004631E6

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: e51ab44d2e52b3d60675834673e9b9904728f2271d1ef9b75da4c79774d1131e
Instruction ID: b0d998c5e58c3251a46d3edbb0a2afbc6be3b3781793d4cbec8386629f90fe5f
Opcode Fuzzy Hash: e51ab44d2e52b3d60675834673e9b9904728f2271d1ef9b75da4c79774d1131e
Instruction Fuzzy Hash: FA21E7307403446AEB10FF795C57F9A7698DB09709F5040BFF605EA1C3EA7C8908866D

Function 0047828C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02122BE0,?,?,?,02122BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782A5
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004782AB
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BE0,?,?,?,02122BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 004782BE
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BE0,?,?,?,02122BE0), ref: 004782E8
CloseHandle.KERNEL32(00000000,?,?,?,02122BE0,00478450,00000000,0047856E,?,?,-00000010,?), ref: 00478306

Strings

GetFinalPathNameByHandleA, xrefs: 0047829B
kernel32.dll, xrefs: 004782A0

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: 626e47d356fab76083b756a204e0250164ee9b03011d355f3d3167744cb8654e
Instruction ID: d6ca79aa4c48c3adffb9da4b01ee7f27494699adf3768a2d59cb90ace03db172
Opcode Fuzzy Hash: 626e47d356fab76083b756a204e0250164ee9b03011d355f3d3167744cb8654e
Instruction Fuzzy Hash: 5701C4707C0B0466E520316E4D8AFEB554C8B54B69F54813F7E0CEA2C2DDAE8D06016E

Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(005D46C8,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(?,00000000,00008000,005D46C8,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(005D56C8,?,00000000,00008000,005D46C8,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62

Strings

\], xrefs: 00401B07

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: \]
API String ID: 3782394904-3890588557
Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE

Function 0045A170 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045A2F2,?,00000000,00000000,00000000,?,00000006,?,00000000,0049722D,?,00000000,004972D0), ref: 0045A236

Part of subcall function 004543E0: FindClose.KERNEL32(000000FF,004544D6), ref: 004544C5

Strings

Stripped read-only attribute., xrefs: 0045A1F8
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A2AB
Failed to strip read-only attribute., xrefs: 0045A204
Failed to delete directory (%d)., xrefs: 0045A2CC
Failed to delete directory (%d). Will retry later., xrefs: 0045A24F
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A210
Deleting directory: %s, xrefs: 0045A1BF

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 3a6653ca049153ac913e3aecd6f83d976b01ed6d176f23095ac7eac981277501
Instruction ID: e72d66395cbcced70a1ff0d39e5b36b51bb4b2a363b16cebf3a96f2a9050ba33
Opcode Fuzzy Hash: 3a6653ca049153ac913e3aecd6f83d976b01ed6d176f23095ac7eac981277501
Instruction Fuzzy Hash: 9A41A730A042449ACB00DBA988463AE76A55F4930AF5486BBBC04D7393CB7D8E1D875F

Function 00422E60 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00422EB4
GetCapture.USER32 ref: 00422EC3
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
ReleaseCapture.USER32 ref: 00422ECE
GetActiveWindow.USER32 ref: 00422EDD
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
GetActiveWindow.USER32 ref: 00422FCF

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: f8c2677d6609ac077b52c6186ee7afb2eac2e0eedff02b6813b422cc668acf14
Instruction ID: 0c1e69f79f034fd7694da938dfb4ae80f60ee9794ae3f0b0e2c785ff7ec3c7d8
Opcode Fuzzy Hash: f8c2677d6609ac077b52c6186ee7afb2eac2e0eedff02b6813b422cc668acf14
Instruction Fuzzy Hash: E4413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF500AB392DB78AE40DB5D

Function 0042F2A0 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0042F2CA
GetWindowLongA.USER32(?,000000EC), ref: 0042F2E1
GetActiveWindow.USER32 ref: 0042F2EA
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F317
SetActiveWindow.USER32(?,0042F447,00000000,?), ref: 0042F338

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$ActiveLong$Message
String ID:
API String ID: 2785966331-0
Opcode ID: 511403c039d27e5fd3d4a37a0efbe646b1f0bba5a7b321b537e6f3b04ffedf77
Instruction ID: 0493a3c03df3966e51b4b777c60d25e7c68e0b9e8cdf2dbcd65ae894a3a71964
Opcode Fuzzy Hash: 511403c039d27e5fd3d4a37a0efbe646b1f0bba5a7b321b537e6f3b04ffedf77
Instruction Fuzzy Hash: 7631B471A00654AFDB01EFB5DC52E6EBBB8EB09714B91447AF804E3691D738AD10CB58

Function 00429490 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000), ref: 0042949A
GetTextMetricsA.GDI32(00000000), ref: 004294A3

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(00000000,00000000), ref: 004294B2
GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
SelectObject.GDI32(00000000,00000000), ref: 004294C6
73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
GetSystemMetrics.USER32(00000006), ref: 004294F3
GetSystemMetrics.USER32(00000006), ref: 0042950D

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
String ID:
API String ID: 361401722-0
Opcode ID: ed5406780fbe6b6ddf9677d4a66f370c2a77f814a30f66ac1398573dbf155f17
Instruction ID: f9189b99ec718bdc55f682ba078bc6b9c4dab98ca430e676b6dc028aca6f8884
Opcode Fuzzy Hash: ed5406780fbe6b6ddf9677d4a66f370c2a77f814a30f66ac1398573dbf155f17
Instruction Fuzzy Hash: 3301E1917087513BFB11B67A9CC2F6B61C8CB8435CF44043FFA459A3D2D96C9C80866A

Function 0041DE34 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,00419069,004985AE), ref: 0041DE37
73EA4620.GDI32(00000000,0000005A,00000000,?,00419069,004985AE), ref: 0041DE41
73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004985AE), ref: 0041DE4E
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
GetStockObject.GDI32(00000007), ref: 0041DE6B
GetStockObject.GDI32(00000005), ref: 0041DE77
GetStockObject.GDI32(0000000D), ref: 0041DE83
LoadIconA.USER32(00000000,00007F00), ref: 0041DE94

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ObjectStock$A4620A480A570IconLoad
String ID:
API String ID: 2905290459-0
Opcode ID: c7b946ff5d18463f692f08f3109d9fac972284bfbf41894a6d0fe66ccf938658
Instruction ID: 4e0a0a69a1fbcc37fa68332f5170e2556ef2fd96a8c36c1a21edcb526b0e3b4b
Opcode Fuzzy Hash: c7b946ff5d18463f692f08f3109d9fac972284bfbf41894a6d0fe66ccf938658
Instruction Fuzzy Hash: E11100B06457015AE740FF666A92BA63694D724708F00813FF605AF3D2D7792C449B9E

Function 004635AC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 004636B0
SetCursor.USER32(00000000,00000000,00007F02,00000000,00463745), ref: 004636B6
SetCursor.USER32(?,0046372D,00007F02,00000000,00463745), ref: 00463720

Strings

, xrefs: 0046392B
Internal error: Item already expanding, xrefs: 0046364D
, xrefs: 00463946

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: 11d96d50149c7a0783bfaa5a1745a1d7ac95eac117891e2e72ad5ff3e9801c67
Instruction ID: 5f7148262a90782ca5f39c73a98182432cf514ee5891adbc4e31059349ad3c9c
Opcode Fuzzy Hash: 11d96d50149c7a0783bfaa5a1745a1d7ac95eac117891e2e72ad5ff3e9801c67
Instruction Fuzzy Hash: EEB19270600284DFD710DF29C585B9ABBF1AF04319F14C4AAE8459B792E778EE48CF5A

Function 00453D1C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E03

Strings

[rename], xrefs: 00453E66, 00453EA2
.tmp, xrefs: 00453DBF
MoveFileEx, xrefs: 00454013
NUL, xrefs: 00453EC5
WININIT.INI, xrefs: 00453DB1

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 4808755b3c6221495a972d98e090ec94bd7c13575b017f43438820c08e4f7dc1
Instruction ID: f7f3e57e327ad0b7fc32dd9a0c0ef844c3cf52932767352b59a94e8a2e0b7a1e
Opcode Fuzzy Hash: 4808755b3c6221495a972d98e090ec94bd7c13575b017f43438820c08e4f7dc1
Instruction Fuzzy Hash: 0E910534E001099BDB01EFA5D842BDEB7F5EF4874AF50806AE90077292D7786E49CB59

Function 00476B6C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476BC5
73EA59E0.USER32(00000000,000000FC,00476B20,00000000,00476E04,?,00000000,00476E2E), ref: 00476BEC
GetACP.KERNEL32(00000000,00476E04,?,00000000,00476E2E), ref: 00476C29
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476C6F

Strings

COMBOBOX, xrefs: 00476BBE
Inno Setup: Language, xrefs: 00476CF7

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ClassInfoMessageSend
String ID: COMBOBOX$Inno Setup: Language
API String ID: 1455646776-4234151509
Opcode ID: 93cc19c1f2ae3cdeb94a735bb7db030fa770b3f4550c722f8e96ab60bc3149ff
Instruction ID: 76a62d5c2b18ddabed1a1f2db415f61daf58d6c828ad3828204ddc2489713d7e
Opcode Fuzzy Hash: 93cc19c1f2ae3cdeb94a735bb7db030fa770b3f4550c722f8e96ab60bc3149ff
Instruction Fuzzy Hash: 4E813C346006059FC720DF69C985AEAB7F2FB09304F1580BAE849E7762D738ED41CB59

Function 00408728 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742

Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF

Strings

m/d/yy, xrefs: 00408811
mmmm d, yyyy, xrefs: 00408833
:mm:ss, xrefs: 0040893E
AMPM, xrefs: 0040890D
:mm, xrefs: 00408924

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: c01586f9bbb032a7f0f1a98200a37c80c0f70fbac98b28b944ff8a28395f8419
Instruction ID: bf07bec6589cb82417a29d9109d5e68838e6a5c97ac1b9e4b464d3d1e075229e
Opcode Fuzzy Hash: c01586f9bbb032a7f0f1a98200a37c80c0f70fbac98b28b944ff8a28395f8419
Instruction Fuzzy Hash: 55513E24B00108ABD701FBA69E41A9E77A9DB94304F50C07FA541BB3C7DA3DDE05975D

Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A

Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6

Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD

Strings

?, xrefs: 004117B6
,, xrefs: 004117AF

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 0b2693d76eb6c03a37913dcbbd37782b63df6b44dbfb9d662716933429e9dd30
Instruction ID: df95c3f439c97799bb0998fa3429798e8a176efd4e8e18b788060c5868d8049e
Opcode Fuzzy Hash: 0b2693d76eb6c03a37913dcbbd37782b63df6b44dbfb9d662716933429e9dd30
Instruction Fuzzy Hash: BA51F674A00144ABDB10EF6ADC816DA7BF9AF09304B11857BF914E73A6E738DD41CB58

Function 0041BE73 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
DeleteObject.GDI32(?), ref: 0041BFAF
DeleteObject.GDI32(?), ref: 0041BFB8
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: 5d40efa9a489d930f0c3474e6c583d61de37ea4c8bf925e82c26674748b1ae5a
Instruction ID: 0934d86ca8fb123134a847d885dc0ae0ba41a9d0998c4bba382ea8cf266d8dc0
Opcode Fuzzy Hash: 5d40efa9a489d930f0c3474e6c583d61de37ea4c8bf925e82c26674748b1ae5a
Instruction Fuzzy Hash: 5A510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64

Function 0041CEE8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
73EA4620.GDI32(00000000,00000026), ref: 0041CF2D
73E98830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
73E922A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
73E98830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Stretch$E98830$A4620BitsE922Mode
String ID:
API String ID: 4209919087-0
Opcode ID: ba9b00c7f19e374317db92bbaed8cea8fa7d56fa7ee5636777b85d926aa1c199
Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
Opcode Fuzzy Hash: ba9b00c7f19e374317db92bbaed8cea8fa7d56fa7ee5636777b85d926aa1c199
Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58

Function 00457114 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 00457166

Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC

Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
Part of subcall function 0041EEB4: 73EA5940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042EEC0,?,00000001), ref: 0041EF09

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004571CD
TranslateMessage.USER32(?), ref: 004571EB
DispatchMessageA.USER32(?), ref: 004571F4

Strings

[Paused] , xrefs: 0045719C

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Message$TextWindow$A5940CurrentDispatchSendThreadTranslate
String ID: [Paused]
API String ID: 1715333840-4230553315
Opcode ID: a723b0617cbdde8b0455b730e79db8c0792bcf361dff27c4d69091156c9f8888
Instruction ID: cc82e29175726c0716c689c1ffa83d11e9869aeff1ced20ba9c80888b84e3111
Opcode Fuzzy Hash: a723b0617cbdde8b0455b730e79db8c0792bcf361dff27c4d69091156c9f8888
Instruction Fuzzy Hash: 013196309082489EDB11DBB5EC81FDEBBB8DB49314F5540B7F800E7292D67C9909CB69

Function 0046B758 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046B897), ref: 0046B814
LoadCursorA.USER32(00000000,00007F02), ref: 0046B822
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B897), ref: 0046B828
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B897), ref: 0046B832
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B897), ref: 0046B838

Strings

CheckPassword, xrefs: 0046B7BC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: 653d9654f76fc9f2c348947714f395caa5fd1a5bea1654e8e7fe328d35dfe1b3
Instruction ID: aec6a0205c5a75bc54f0fc291e1a1f9730d999611bc1887dd1e74dc6007ab6bd
Opcode Fuzzy Hash: 653d9654f76fc9f2c348947714f395caa5fd1a5bea1654e8e7fe328d35dfe1b3
Instruction Fuzzy Hash: 333164346406049FD711EB69C889F9E7BE4EF49304F5580B6F844DB3A2D778AD40CB99

Function 00477B88 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477AB0: GetWindowThreadProcessId.USER32(00000000), ref: 00477AB8
Part of subcall function 00477AB0: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477BAF,0049C0A4,00000000), ref: 00477ACB
Part of subcall function 00477AB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477AD1

SendMessageA.USER32(00000000,0000004A,00000000,00477F42), ref: 00477BBD
GetTickCount.KERNEL32 ref: 00477C02
GetTickCount.KERNEL32 ref: 00477C0C
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477C61

Strings

CallSpawnServer: Unexpected status: %d, xrefs: 00477C4A
CallSpawnServer: Unexpected response: $%x, xrefs: 00477BF2

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3771334282
Opcode ID: 56bd6ace22e6e2035f5031cc9978de37ae905e15686cac3f17074c750df7538a
Instruction ID: 65d184c56696bd8d6baefe4a5ac293f093c2dd543b1706e930bc299cdf77f89e
Opcode Fuzzy Hash: 56bd6ace22e6e2035f5031cc9978de37ae905e15686cac3f17074c750df7538a
Instruction Fuzzy Hash: B131A474B042149ADB11EBB988867EEB6A09F48304F90C47AF548EB392D67C9E41879D

Function 00459AE8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00459BA3

Strings

Fusion.dll, xrefs: 00459B43
.NET Framework CreateAssemblyCache function failed, xrefs: 00459BC6
Failed to load .NET Framework DLL "%s", xrefs: 00459B88
CreateAssemblyCache, xrefs: 00459B9A
Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00459BAE

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: edece01ff0b44ec29f5677049ed357158d3b305d3ba0728d372a41e2f192b5a4
Instruction ID: 1db31b6b51e2e068c3f61674d824012408e1fbc1d182cf764eafebb5ab4ea00f
Opcode Fuzzy Hash: edece01ff0b44ec29f5677049ed357158d3b305d3ba0728d372a41e2f192b5a4
Instruction Fuzzy Hash: EF318970E00619EBDB01EFA5C88169EB7B8AF44315F50857BE814E7382D738AE09C799

Function 0041C158 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065

GetFocus.USER32 ref: 0041C178
73E9A570.USER32(?), ref: 0041C184
73E98830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
73E922A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
73E98830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
73E9A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: E98830$A480A570BitsE922FocusObject
String ID:
API String ID: 2688936647-0
Opcode ID: 32c019c2b17a625013bd7d07803e420f9d7b692fe3dc5f877fb11705181084ab
Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
Opcode Fuzzy Hash: 32c019c2b17a625013bd7d07803e420f9d7b692fe3dc5f877fb11705181084ab
Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28

Function 00418C64 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00418C80
GetSystemMetrics.USER32(0000000D), ref: 00418C88
6F9A2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E

Part of subcall function 004099C0: 6F99C400.COMCTL32(0049B628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4

6FA0CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
6FA0C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
6FA0CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
6F9A0860.COMCTL32(0049B628,00418D1F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: MetricsSystem$A0860A2980C400C740
String ID:
API String ID: 1086221473-0
Opcode ID: 33c04b7a68779a44c69ffbd8ad79940853ad3b201d45ee57610259a2e4dbeb77
Instruction ID: e0b43fe86d74620756cf035266125a11838772e9d6ef4bcae2e69295d5b8951d
Opcode Fuzzy Hash: 33c04b7a68779a44c69ffbd8ad79940853ad3b201d45ee57610259a2e4dbeb77
Instruction Fuzzy Hash: A11149B1744204BBEB10EBA9DC83F5E73B8DB48704F6044BAB604E72D2DB799D409759

Function 004836EC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004837A4), ref: 00483789

Strings

ServerNT, xrefs: 0048376D
System\CurrentControlSet\Control\ProductOptions, xrefs: 00483710
ProductType, xrefs: 00483728
WinNT, xrefs: 00483739
LanmanNT, xrefs: 00483753

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: ae1742725748cd88b87d9fe0d1248e5a5e1a514a3c9083b9a236ca5d7aa17843
Instruction ID: 8316402a246994b7737153b66ed252a9f16b12b2be78e08e0fa98e077eb8f510
Opcode Fuzzy Hash: ae1742725748cd88b87d9fe0d1248e5a5e1a514a3c9083b9a236ca5d7aa17843
Instruction Fuzzy Hash: 0311B1B4704244AADB10FF65CC52B5E7AE9DB41B19F60C87BA400A7282EB38CA05875C

Function 00494ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,?,00000000), ref: 00494EE9

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(00000000,00000000), ref: 00494F0B
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495489), ref: 00494F1F
GetTextMetricsA.GDI32(00000000,?), ref: 00494F41
73E9A480.USER32(00000000,00000000,00494F6B,00494F64,?,00000000,?,?,00000000), ref: 00494F5E

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00494F16

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1435929781-222967699
Opcode ID: f7d6f97b91dc48adac3cf3527b9ba73e93ee7bba49e4f60ed72cccac08d23d6d
Instruction ID: 6f18d4fe6cef93123b0455e30b82395b7dbfc0c8f911bccc88a8e51c4d6277b1
Opcode Fuzzy Hash: f7d6f97b91dc48adac3cf3527b9ba73e93ee7bba49e4f60ed72cccac08d23d6d
Instruction Fuzzy Hash: 95018476A04609BFEB00DBA9CC41F5EB7ECDB89704F51447AB600E7281D678AE018B28

Function 0041B472 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B480
SelectObject.GDI32(?,00000000), ref: 0041B48F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
SelectObject.GDI32(?,00000000), ref: 0041B4D7
DeleteDC.GDI32(00000000), ref: 0041B4E0
DeleteDC.GDI32(?), ref: 0041B4E9

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54

Function 004233A4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004233BF
WindowFromPoint.USER32(?,?), ref: 004233CC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
GetCurrentThreadId.KERNEL32 ref: 004233E1
SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
SetCursor.USER32(00000000), ref: 00423423

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD

Function 00494CFC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 00494D0C
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00494D19
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00494D26

Strings

MonitorFromRect, xrefs: 00494D13
user32.dll, xrefs: 00494D07
GetMonitorInfoA, xrefs: 00494D20

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 70207861a9ddbbfcf1ec4c2ebf1ed82301f215222d5c3051e71e037128298d5d
Instruction ID: 42226921e916c2e61715a17367c32eae2b2292ab525ca03b869d6a68ec0a34c4
Opcode Fuzzy Hash: 70207861a9ddbbfcf1ec4c2ebf1ed82301f215222d5c3051e71e037128298d5d
Instruction Fuzzy Hash: 6CF0F69AB41B1466DA2025B68C81F7B698CCFD1B71F050337BE04A7382ED9D8D0642AD

Function 0045D9EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(03100000,BZ2_bzDecompressInit), ref: 0045D9F5
GetProcAddress.KERNEL32(03100000,BZ2_bzDecompress), ref: 0045DA05
GetProcAddress.KERNEL32(03100000,BZ2_bzDecompressEnd), ref: 0045DA15

Strings

BZ2_bzDecompressEnd, xrefs: 0045DA0F
BZ2_bzDecompressInit, xrefs: 0045D9EF
BZ2_bzDecompress, xrefs: 0045D9FF

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 01040e06415ef817a4763b016626a28be3372e477bb5bd5db3809bf0997a53ea
Instruction ID: e47ea2fb967bc5a05fa6d8d3c64fcba096cc564050e4d812c51f788cc71ed1ca
Opcode Fuzzy Hash: 01040e06415ef817a4763b016626a28be3372e477bb5bd5db3809bf0997a53ea
Instruction Fuzzy Hash: 2BF030B0D05300DFEB24DFB29CC372336959BA4316F14803B9A0D96267D278088CCE2C

Function 0042EA2C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,00480D8E), ref: 0042EA45
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA4B
InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA5C

Part of subcall function 0042E9BC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9D2
Part of subcall function 0042E9BC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
Part of subcall function 0042E9BC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9E9

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA70

Strings

user32.dll, xrefs: 0042EA40
ChangeWindowMessageFilterEx, xrefs: 0042EA3B

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 142928637-2676053874
Opcode ID: d06cc84e9d2e4e0b448c748badd712702b96776d6b0267aa2fd44745f5a2b4d6
Instruction ID: 2c8c4e1fda890c3dedf4e0e73620de090a3a9d5666271f16a874a7bcdd66483b
Opcode Fuzzy Hash: d06cc84e9d2e4e0b448c748badd712702b96776d6b0267aa2fd44745f5a2b4d6
Instruction Fuzzy Hash: 52E092A1741720EAEA10B7B67CC6F9A2668E714729F54403BF100A51E1C3BD1C80CE9E

Function 0044C7EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044F099), ref: 0044C7FB
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C80C
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C81C

Strings

oleacc.dll, xrefs: 0044C7F6
CreateStdAccessibleObject, xrefs: 0044C816
LresultFromObject, xrefs: 0044C806

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2238633743-1050967733
Opcode ID: c58342e6ebd42d3e550f5fa79659fa064c9032f03f8e913941057cc824ddc2bd
Instruction ID: d5a6e329c062b47ae4ba9e11e7719f1ec1b45dd3e70fac445fdcae0b1af11dcb
Opcode Fuzzy Hash: c58342e6ebd42d3e550f5fa79659fa064c9032f03f8e913941057cc824ddc2bd
Instruction Fuzzy Hash: 64F0FE70246305CAFB50BBB5FDC67223694E3A4B0AF18137BE40156192D7BC4444CF4C

Function 00478B3C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,004985F4), ref: 00478B42
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478B4F
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478B5F

Strings

VerifyVersionInfoW, xrefs: 00478B59
VerSetConditionMask, xrefs: 00478B49
kernel32.dll, xrefs: 00478B3D

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: dff5fcaa570554af533fa68d6d4d47fa30ed3b2efb34bda6c6df081b9be12d17
Instruction ID: 8ade474bf949b7c868f23be577f60042bf37b8b7e1302e6d2b868e4e2d48ad49
Opcode Fuzzy Hash: dff5fcaa570554af533fa68d6d4d47fa30ed3b2efb34bda6c6df081b9be12d17
Instruction Fuzzy Hash: D4C0E9F0AC1740EEAA00E7F15CDAD762558D514B34724943F754DAA193D97D58044A2C

Function 0041B518 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B58E
73E9A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
73EA4620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
73ECE680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
73ECE680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
73E9A480.USER32(?,?,0041B643,?,?), ref: 0041B636

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: E680$A4620A480A570Focus
String ID:
API String ID: 2226671993-0
Opcode ID: 5d7c3ba993e5eebd83af6d17b2c287e498e3d287d4e0c623dc28ca4d995b2802
Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
Opcode Fuzzy Hash: 5d7c3ba993e5eebd83af6d17b2c287e498e3d287d4e0c623dc28ca4d995b2802
Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5

Function 0045D3B0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D41B
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D4E8,?,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D45A

Strings

CLASSES_ROOT, xrefs: 0045D3E0
CURRENT_USER, xrefs: 0045D3EF
USERS, xrefs: 0045D40D
MACHINE, xrefs: 0045D3FE

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: 4cfdc77ab01fb36c91946a35bece077a72b39e520f3a0bad4193af408e0f5770
Instruction ID: bfdb5615fdc952ab51c5d4d36cfcdc52ba3649a349ed7733e19bd606ff263fd4
Opcode Fuzzy Hash: 4cfdc77ab01fb36c91946a35bece077a72b39e520f3a0bad4193af408e0f5770
Instruction Fuzzy Hash: A6117835A04204ABD731DE95C941A5E76DCDF46306F608077AD0596283D67C6F0A952A

Function 0041BD9C Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
73E9A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
73EA4620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
73EA4620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
73E9A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: A4620MetricsSystem$A480A570
String ID:
API String ID: 4120540252-0
Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9

Function 0047E264 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0047E272
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CFF1), ref: 0047E298
GetWindowLongA.USER32(?,000000EC), ref: 0047E2A8
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E2C9
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E2DD
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E2F9

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: f65d960a6ef7549d8abdb9e067b5e5f1b226f2d151c0a96430342ef03e516e78
Instruction ID: 64a3e6c2176d4acc74ea6130292171d5cd043058eec335b926c35577e1896bc6
Opcode Fuzzy Hash: f65d960a6ef7549d8abdb9e067b5e5f1b226f2d151c0a96430342ef03e516e78
Instruction Fuzzy Hash: DE010CB5651210ABE600D769DE41F66379CAB0D334F0503AAB959DF2E3C729EC009B49

Function 0041B280 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B

UnrealizeObject.GDI32(00000000), ref: 0041B28C
SelectObject.GDI32(?,00000000), ref: 0041B29E
SetBkColor.GDI32(?,00000000), ref: 0041B2C1
SetBkMode.GDI32(?,00000002), ref: 0041B2CC
SetBkColor.GDI32(?,00000000), ref: 0041B2E7
SetBkMode.GDI32(?,00000001), ref: 0041B2F2

Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D

Function 0049772C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

ShowWindow.USER32(?,00000005,00000000,00497991,?,?,00000000), ref: 00497762

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049778A,00000000,0049795D,?,?,00000005,00000000,00497991,?,?,00000000), ref: 004072BB

Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,0045606A,00000000,004560D2), ref: 0042D491

Strings

Uninstall, xrefs: 00497748
IMsg, xrefs: 00497836
.msg, xrefs: 004977C8
.dat, xrefs: 004977A9

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 8060b02bfbd0833a98a3e6243afb85b8b494b7fa2efbfb07078fe99f385005b5
Instruction ID: bbf2e7f3574d42a9113524bdb42c94a944b0e97273f2a70b882bd080beededf8
Opcode Fuzzy Hash: 8060b02bfbd0833a98a3e6243afb85b8b494b7fa2efbfb07078fe99f385005b5
Instruction Fuzzy Hash: 8E318F74A10214AFDB00EF65DC82D6E7BB5EB89318B51847AF800AB392D739BD01CB58

Function 0042EAB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EAEA
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAF0
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB19

Strings

ShutdownBlockReasonCreate, xrefs: 0042EAE0
user32.dll, xrefs: 0042EAE5

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: 915f5369749bf1dd2f4e97bc9020bef18acdf07caf1deb2404a0262322aa2bf8
Instruction ID: f5c55ae169209784706469d1b6e96428d25835975ad7b3a5622eb1d8c2489c6d
Opcode Fuzzy Hash: 915f5369749bf1dd2f4e97bc9020bef18acdf07caf1deb2404a0262322aa2bf8
Instruction Fuzzy Hash: 2DF022E078062136E620E2BFACC3F6B498C8FA0725F040436F009EA2C2E92C9900422E

Function 004019CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02179364,00001860,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02179364,00001860,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02179364,00001860,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02179364,00001860,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

\], xrefs: 00401A04

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: \]
API String ID: 730355536-3890588557
Opcode ID: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
Opcode Fuzzy Hash: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD

Function 00457E34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457E64
GetExitCodeProcess.KERNEL32(?,00498116), ref: 00457E85
CloseHandle.KERNEL32(?,00457EB8,?,?,004586D3,00000000,00000000), ref: 00457EAB

Strings

MsgWaitForMultipleObjects, xrefs: 00457E71
GetExitCodeProcess, xrefs: 00457E8E

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: 575e6b60f34cbf4eff7e6cad29998e42f3eca010a17ab32e5b4d53f7e3c6a35f
Instruction ID: 6a931132ee958b8202ab537f65b64b7fb4871f4dbf11571726e28c2ddef09419
Opcode Fuzzy Hash: 575e6b60f34cbf4eff7e6cad29998e42f3eca010a17ab32e5b4d53f7e3c6a35f
Instruction Fuzzy Hash: 1101A735604704AFDB11EB999D43A1E77A8DB49711F5004B6FC10E73D3D63C9D048618

Function 0042E9BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,00499934,00457029,004573CC,00456F80,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9D2
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9E9

Strings

ChangeWindowMessageFilter, xrefs: 0042E9C8
user32.dll, xrefs: 0042E9CD

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 9d5cf1aadbd407eeb031432e352e4554899be5068d45876e9cc0d059751b9763
Instruction ID: 5ef4959e42d5312267b3952f4de6be483a2b5690063b138e9708ef51bd19b1c3
Opcode Fuzzy Hash: 9d5cf1aadbd407eeb031432e352e4554899be5068d45876e9cc0d059751b9763
Instruction Fuzzy Hash: A3E0ECB1741314EADA106B62BECBF5A2558E724B15F54043BF101751F2C7BD2C80C95E

Function 00477AB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00477AB8
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477BAF,0049C0A4,00000000), ref: 00477ACB
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477AD1

Strings

user32.dll, xrefs: 00477AC6
AllowSetForegroundWindow, xrefs: 00477AC1

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: 68b371c1f4cd94bc20bebdce253c565989975d555a3c9a3b5155311c67ca03d8
Instruction ID: 8233eca9c26ae86130ab8a2651ceb45e7b9436c82c984da63702dcb6f06a18e2
Opcode Fuzzy Hash: 68b371c1f4cd94bc20bebdce253c565989975d555a3c9a3b5155311c67ca03d8
Instruction Fuzzy Hash: 27D0A7A0208300A6ED10F3F14C47E6F224C8D847587A4C43B7404E3182CABCE900993C

Function 00416C3C Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00416C62
SaveDC.GDI32(?), ref: 00416C93
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
RestoreDC.GDI32(?,?), ref: 00416D1B
EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58

Function 00414810 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414846
MulDiv.KERNEL32(?,?,?), ref: 00414860
MulDiv.KERNEL32(?,?,?), ref: 00414889
MulDiv.KERNEL32(?,?,?), ref: 004148B4
MulDiv.KERNEL32(00000000,?,00000000), ref: 004148FC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19

Function 004297DC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 52b5b48316c5d4ae37ce8577e0a97d76e0e4998a9a2ed84e03e9d155575d1481
Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
Opcode Fuzzy Hash: 52b5b48316c5d4ae37ce8577e0a97d76e0e4998a9a2ed84e03e9d155575d1481
Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C

Function 0041BBC8 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
73E9A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
DeleteObject.GDI32(00000000), ref: 0041BCAA

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: MetricsSystem$A570A6310DeleteObject
String ID:
API String ID: 3435189566-0
Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98

Function 00473848 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045D3B0: SetLastError.KERNEL32(00000057,00000000,0045D47C,?,?,?,?,00000000), ref: 0045D41B

GetLastError.KERNEL32(00000000,00000000,00000000,0047391C,?,?,0049C1D0,00000000), ref: 004738D5
GetLastError.KERNEL32(00000000,00000000,00000000,0047391C,?,?,0049C1D0,00000000), ref: 004738EB

Strings

Could not set permissions on the registry key because it currently does not exist., xrefs: 004738DF
Setting permissions on registry key: %s\%s, xrefs: 0047389A
Failed to set permissions on registry key (%d)., xrefs: 004738FC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: 65c899866a6f92bdc558b75d1f6f5c8f40dffa86cd9e0ff42c768141b597e19f
Instruction ID: 0e56c8fb080e82cb73bff42131c1910bc7e2d1be1188aa0d4929b19add272574
Opcode Fuzzy Hash: 65c899866a6f92bdc558b75d1f6f5c8f40dffa86cd9e0ff42c768141b597e19f
Instruction Fuzzy Hash: D42186B0A046485FCB00DFA9C8816EEBBE5DF49315F50817BE508E7392D7B85A05CB6A

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 004143F0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

73E98830.GDI32(00000000,00000000,00000000), ref: 00414429
73E922A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: E922E98830$A480
String ID:
API String ID: 3692852386-0
Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765

Function 00406FAC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD

Strings

Z, xrefs: 00407044

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: eb416ea4a1b8f2daa77fdd812f136362b1db0fd9b9a9c64830d5574e342882dc
Instruction ID: 2ace50d644c075eff23e32fa5e1ddfe03b8fa53596be5d4ceb5675c655e146ae
Opcode Fuzzy Hash: eb416ea4a1b8f2daa77fdd812f136362b1db0fd9b9a9c64830d5574e342882dc
Instruction Fuzzy Hash: C0513070E04218ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE418F5A

Function 0044CFD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044D05E
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D089
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D111

Strings

, xrefs: 0044D043

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: 9bd908fd6ab002ebc51c141ad104fc93549b6590cb61d9638f2d60c2e4f6398c
Instruction ID: 2c2bbb7fbf4b59eae95d31c7b28000ca71a9f0321ec4255fb332cd8a4a3f7a8e
Opcode Fuzzy Hash: 9bd908fd6ab002ebc51c141ad104fc93549b6590cb61d9638f2d60c2e4f6398c
Instruction Fuzzy Hash: F6516071E00244AFDB10DFA5C885BDEBBF8AF49308F08847AE845EB255D778A945CB64

Function 0042EF84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,00000000,0042F0D8,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EFAE

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(?,00000000), ref: 0042EFD1
73E9A480.USER32(00000000,?,0042F0BD,00000000,0042F0B6,?,00000000,00000000,0042F0D8,?,?,?,?,00000000,00000000,00000000), ref: 0042F0B0

Strings

...\, xrefs: 0042F062

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: A480A570CreateFontIndirectObjectSelect
String ID: ...\
API String ID: 2998766281-983595016
Opcode ID: da53642769cbe036028c7dc5c32fe254f1027efce08608ae13d670d4fc685408
Instruction ID: 4ea51e63949933808241df29427b07dd96e06abf1a704ffa26f869fa6ec4a11f
Opcode Fuzzy Hash: da53642769cbe036028c7dc5c32fe254f1027efce08608ae13d670d4fc685408
Instruction Fuzzy Hash: 2F315270B00128ABDF11EF96D841BAEB7B8EB48708FD1447BF410A7292D7785D49CA59

Function 004538A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 00453997
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004967F1,_iu,?,00000000,004539E2), ref: 004539A7

Strings

.tmp, xrefs: 0045394B
_iu, xrefs: 00453939

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: dc109c8f01286b2989461901934a6d9e01325b966eab87418c3e389b569fc91a
Instruction ID: 4fa05f029f2566c48aedd37e5d2d112a05e3774389c58111587f2dbaaee79b9c
Opcode Fuzzy Hash: dc109c8f01286b2989461901934a6d9e01325b966eab87418c3e389b569fc91a
Instruction Fuzzy Hash: 9531A6B0A40149ABCF01EF95C982B9EBBB5AF44345F50452AF800B72C2D6785F058AAD

Function 00416420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
UnregisterClassA.USER32(?,00400000), ref: 004164BB
RegisterClassA.USER32(?), ref: 004164DE

Strings

@, xrefs: 00416439

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 8cb808bfaf21f9b6be1f4599df9655a946cb93d0bbb2725194c7e4a3bd3b9422
Instruction ID: 7ea39428e622c43f80c69b44bdb33f9ce6dea52ad5211df5dc1c1138561595a4
Opcode Fuzzy Hash: 8cb808bfaf21f9b6be1f4599df9655a946cb93d0bbb2725194c7e4a3bd3b9422
Instruction Fuzzy Hash: 0E318E706042009BD760EF68C981B9B77E5AB88308F04457FF985DB392DB39D9848B6A

Function 00497BE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00498530,00000000,00497CD6,?,?,00000000,0049B628), ref: 00497C50
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498530,00000000,00497CD6,?,?,00000000,0049B628), ref: 00497C79
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00497C92

Strings

isRS-%.3u.tmp, xrefs: 00497C2F

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 9f18e9119b438212db1bb595c56ccc89a7930ded87602de0aca2db56358788ed
Instruction ID: 213244b736f3eff521ec2db090c728ece63042f248bf50699bdf4cb02408e53f
Opcode Fuzzy Hash: 9f18e9119b438212db1bb595c56ccc89a7930ded87602de0aca2db56358788ed
Instruction Fuzzy Hash: 53214171E14219AFCF05EFA9C881AAFBBB8AB44714F50453BB814B72D1D6385E018B69

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Runtime error at 00000000, xrefs: 00404DBE, 00404DD1
Error, xrefs: 00404DB9

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED

Function 00456A34 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456A88
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456AB5

Strings

RegisterTypeLib, xrefs: 00456AC0
LoadTypeLib, xrefs: 00456A93

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: 384f0062f956a7e6e5f729262f076ec348bfef461e3db0757be0fdeeca084a77
Instruction ID: 5567ca09ff2ddd9e87874ef4cfa4ab968baaa8f1c3db1669d027a8a21fc87fa6
Opcode Fuzzy Hash: 384f0062f956a7e6e5f729262f076ec348bfef461e3db0757be0fdeeca084a77
Instruction Fuzzy Hash: 20119331B00604AFDB11EFA6CD55A5EB7BDEB8A705B51C4B6BC04E3652DA389E04CB24

Function 00456F8C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456FA6
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457043

Strings

Failed to create DebugClientWnd, xrefs: 0045700C
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456FD2

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: e461573c832d53d536b60bdd09be1689879239ada0565844d92a82a55e03096e
Instruction ID: 61f5065308a022425a12d25e559eb7300ab1b4b0d104b50eccf394a1c4e119f6
Opcode Fuzzy Hash: e461573c832d53d536b60bdd09be1689879239ada0565844d92a82a55e03096e
Instruction Fuzzy Hash: 921123706082509BD300AB689C82B5F7BD89B55719F45403BF9859B3C3D7798C08C7AE

Function 00495D70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495E38,?,00495E2C,00000000,00495E13), ref: 00495DDE
CloseHandle.KERNEL32(x^I,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495E38,?,00495E2C,00000000), ref: 00495DF5

Part of subcall function 00495CC8: GetLastError.KERNEL32(00000000,00495D60,?,?,?,?), ref: 00495CEC

Strings

x^I, xrefs: 00495DF1, 00495DF4
D, xrefs: 00495DB8

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D$x^I
API String ID: 3798668922-903578107
Opcode ID: 39c0d8672a1bce61a407111d09c5e91ba0fa0ceca0774959188b9b62fea67dd3
Instruction ID: 0d7d1bccb2b79611993d32b5dcf50d38d0c3e5c5098d5d0063742a7482510134
Opcode Fuzzy Hash: 39c0d8672a1bce61a407111d09c5e91ba0fa0ceca0774959188b9b62fea67dd3
Instruction Fuzzy Hash: F201A1B1604648AFDF01EBA2DC42E9FBBACDF08704F60003AF904E72C1D6385E008A28

Function 00478608 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

GetFocus.USER32 ref: 00478673
GetKeyState.USER32(0000007A), ref: 00478685
WaitMessage.USER32(?,00000000,004786AC,?,00000000,004786D3,?,?,00000001,00000000,?,?,?,0047FED4,00000000,00480D8E), ref: 0047868F

Strings

Wnd=$%x, xrefs: 00478657

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: 1a422d4577b49dccfc2774414577709a46ec3ce372f56b5ec11200a8bbcf7a92
Instruction ID: ef44951ba698f020dd2967180cd2d6f5e0b89f016f08406409eb47c9a327eab3
Opcode Fuzzy Hash: 1a422d4577b49dccfc2774414577709a46ec3ce372f56b5ec11200a8bbcf7a92
Instruction Fuzzy Hash: 2411A374644244BFC700EF65DD45A9E7BF8EB49714B5184BAF408E3691DB38AE00CA6E

Function 0046E8B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E8C0
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E8CF

Strings

(invalid), xrefs: 0046E952
%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046E944

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: 2e2682d59cfc45f7ed460395edcc4d500eda373c92ad7cb826f7e8648d0918d2
Instruction ID: 5dd70de3b3cbc2db986134396dd9c806d54cb2705fd1511918c86a199fc004ed
Opcode Fuzzy Hash: 2e2682d59cfc45f7ed460395edcc4d500eda373c92ad7cb826f7e8648d0918d2
Instruction Fuzzy Hash: 1711F8A440C3919AD340DF2AC44432BBBE4AF89704F44892EF9D8D6381E779C948DB77

Function 00453F62 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F6F

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049B628,004980C1,00000000,00498116,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

MoveFileA.KERNEL32(00000000,00000000), ref: 00453F94

Part of subcall function 00453488: GetLastError.KERNEL32(00000000,0045401D,00000005,00000000,00454052,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497D75,00000000), ref: 0045348B

Strings

MoveFile, xrefs: 00453F9D
DeleteFile, xrefs: 00453F80

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: 987ea279d6d59187c3e0b7c28975cb0d289204635ad797c92353d6d323b91857
Instruction ID: b42c41819cc20c1867e4fcb1ab4fb5766129ddbc0fc5112b2d6697d8e42203d6
Opcode Fuzzy Hash: 987ea279d6d59187c3e0b7c28975cb0d289204635ad797c92353d6d323b91857
Instruction Fuzzy Hash: 49F062716041455AEB01FAA5D84266EA3ECDB8430BFA0403BB800BB6C3DA3C9E09493D

Function 00483644 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483685
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004836A8

Strings

System\CurrentControlSet\Control\Windows, xrefs: 00483652
CSDVersion, xrefs: 0048367C

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 753ec1cdaceecf10a2c10abed9fa14ba9196f183527e9def43a7b07e5ea74203
Instruction ID: 3c550b8be62ae6962ae8a8b2bb2136c6a1766c1456238aff6c9f059f5d92f743
Opcode Fuzzy Hash: 753ec1cdaceecf10a2c10abed9fa14ba9196f183527e9def43a7b07e5ea74203
Instruction Fuzzy Hash: B1F06D75E00208B6DF20EED88C45BAFB3BCAF14B05F204566E910E7381F6789B448B59

Function 004596C8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459805,00000000,004599BD,?,00000000,00000000,00000000), ref: 00459715

Strings

InstallRoot, xrefs: 00459704
SOFTWARE\Microsoft\.NETFramework, xrefs: 004596E8
.NET Framework not found, xrefs: 00459724

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 2bb6d2a90fde3dca571cbffa0de55d15307f7e9fe95e0bdc468a8876b40318f9
Instruction ID: 5fc53f2980ca067f7fdefaa7aa50a153e5e830959166a8c5adde0da5508e813c
Opcode Fuzzy Hash: 2bb6d2a90fde3dca571cbffa0de55d15307f7e9fe95e0bdc468a8876b40318f9
Instruction Fuzzy Hash: 97F0AF35720150DBCB10EF5AE885B4E6298DB99396F50403BB985CB263C77CCC06CA99

Function 0042D900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B46,00000000,00453BE9,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FD9,00000000), ref: 0042D91A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D920

Strings

kernel32.dll, xrefs: 0042D915
GetSystemWow64DirectoryA, xrefs: 0042D910

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 9f11ee2d5e3000e0cdd038ccf0fc88bc65f7f941c6d0e4eb05ced4219cc1a029
Instruction ID: 1097081faf8e12b72459453f22f39748745641366cc83a46a0cb0e3cd7246884
Opcode Fuzzy Hash: 9f11ee2d5e3000e0cdd038ccf0fc88bc65f7f941c6d0e4eb05ced4219cc1a029
Instruction Fuzzy Hash: 5FE04FE1B40B1112D71066BA5C82B6B158E4B84724F90443B3994E62C3DDBCD9885A5D

Function 0042EB64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAE0), ref: 0042EB72
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB78

Strings

ShutdownBlockReasonDestroy, xrefs: 0042EB68
user32.dll, xrefs: 0042EB6D

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: ea69c1903bbb3952bc51afe47cebbdaeff40ebefb6d83304b24a691856bce627
Instruction ID: 186c8a8b24504359f9bd95d8817b94a00a7cf61d77d8ea7090d5fad6c77db3b3
Opcode Fuzzy Hash: ea69c1903bbb3952bc51afe47cebbdaeff40ebefb6d83304b24a691856bce627
Instruction Fuzzy Hash: 1CD0C792312732666D10F1F73CD1DBB098C89116753544477F505E5241D55DDD01196D

Function 0044F754 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004985C2), ref: 0044F78F
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F795

Strings

NotifyWinEvent, xrefs: 0044F785
user32.dll, xrefs: 0044F78A

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: ae93fc19694d9525260dce27dd3aecea032003b0c05c01207aef2e00a83e3bcb
Instruction ID: adaf68bc035e952e092e397114f6a1653fed54d9058db7208dfb757fc5d15743
Opcode Fuzzy Hash: ae93fc19694d9525260dce27dd3aecea032003b0c05c01207aef2e00a83e3bcb
Instruction Fuzzy Hash: F7E012F4E417049DEF00BBF5BA86B1E3A90E764718B01417FF404A62A2DB7C440C8E5D

Function 00498338 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498618,00000001,00000000,0049863C), ref: 00498342
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498348

Strings

DisableProcessWindowsGhosting, xrefs: 00498338
user32.dll, xrefs: 0049833D

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: a3044ebe087eacdbfcba4854d25501df4a36c2cbac561551b3a8e0a3d6241fb5
Instruction ID: 7eda4cb16e2cba450c320cc229382d7be1fc12bfd2fbc27455de3eb8489cf644
Opcode Fuzzy Hash: a3044ebe087eacdbfcba4854d25501df4a36c2cbac561551b3a8e0a3d6241fb5
Instruction Fuzzy Hash: 88B092C128174298AC7032FA0C02A1F08084882F28718083F3C48F50C2CD6ED804182D

Function 00464960 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B668: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F785,004985C2), ref: 0044B68F
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B6A7
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6B9
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6CB
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6DD
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6EF
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B701
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B713
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B725
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B737
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B749
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B75B
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B76D
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B77F
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B791
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B7A3
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7B5
Part of subcall function 0044B668: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7C7

LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004985EA), ref: 0046496F
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464975

Strings

shell32.dll, xrefs: 0046496A
SHPathPrepareForWriteA, xrefs: 00464965

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2238633743-2683653824
Opcode ID: b0b0cc609965775dafbc177cfbf53c5f286fe0b9a785a06f0526f65a81a5d1e8
Instruction ID: ef62b78e1ecbbf86accf82cc5e54c74759ffbda80f6f2c7107c350d82a6c33f4
Opcode Fuzzy Hash: b0b0cc609965775dafbc177cfbf53c5f286fe0b9a785a06f0526f65a81a5d1e8
Instruction Fuzzy Hash: 48B092E06E2700A88E00B7FA2887B0B104895D0B1DB56063F704979092EB7C4008CD6E

Function 0047D334 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047D4A8,?,?,?,?,00000000,0047D5FD,?,?,?,00000000,?,0047D70E), ref: 0047D484
FindClose.KERNEL32(000000FF,0047D4AF,0047D4A8,?,?,?,?,00000000,0047D5FD,?,?,?,00000000,?,0047D70E,00000000), ref: 0047D4A2

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: b2c7b71d20f6e59f381effc7c5b6ff5d5103613db955826220e612b659a83145
Instruction ID: 2979fa4f850f67a6d1e6d53d287e6b8f4dfe67a5ddfa55c2aaa4ecb03bfc0e13
Opcode Fuzzy Hash: b2c7b71d20f6e59f381effc7c5b6ff5d5103613db955826220e612b659a83145
Instruction Fuzzy Hash: CA812D70D0024DAFDF11DFA5CC55ADFBBB9EF49308F5080AAE808A7291D6399A46CF54

Function 0047581C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0042EE40: GetTickCount.KERNEL32 ref: 0042EE46

Part of subcall function 0042EC98: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECCD

GetLastError.KERNEL32(00000000,00475991,?,?,0049C1D0,00000000), ref: 0047587A

Strings

MoveFileEx, xrefs: 004758DF
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 0047594F
, xrefs: 004758B2, 004758CD

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
API String ID: 2406187244-2685451598
Opcode ID: 0a1b29da48a0e8fc9cf90d26d5d6551fdd5eac2558fd5f62cf07407676141883
Instruction ID: 8ae0701305b01ce1bca9537847079d861391bf026d2cb8563746cd807755024f
Opcode Fuzzy Hash: 0a1b29da48a0e8fc9cf90d26d5d6551fdd5eac2558fd5f62cf07407676141883
Instruction Fuzzy Hash: BB4166B0A006098FDB10EFA5D882ADE77B5EF48314F60853BE514BB351D7789A058BA9

Function 00413D08 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00413D56
GetDesktopWindow.USER32 ref: 00413E0E

Part of subcall function 00418ED0: 6FA0C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049B628), ref: 00418EEC
Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049B628), ref: 00418F09

SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
Instruction ID: 95de96b99ba854305cf3f6c98da1fc171ffd9c3687d173b50ed20deed18b133b
Opcode Fuzzy Hash: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
Instruction Fuzzy Hash: 59411F75600250AFC710DF2AFA85B5677E1EB64319F15817BE404CB365DB38AD81CF98

Function 00408A5C Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: 951c1155a055777031086f0b90c3083af3c2960daf331f13f5541ebbba7c3e7d
Instruction ID: 11344639af0fa1b95b6fef638a25282c94d515b30ba3ed4b3402aedba36e13da
Opcode Fuzzy Hash: 951c1155a055777031086f0b90c3083af3c2960daf331f13f5541ebbba7c3e7d
Instruction Fuzzy Hash: 843133706083849ED330EA658945B9F77D89B85304F40483FF6C8D72D1DB79A9048B67

Function 0044E8D4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E91D

Part of subcall function 0044CF60: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF92

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E9A1

Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8

IsRectEmpty.USER32(?), ref: 0044E963
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E986

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: 919708f5ffdde2f57f521d6641e4cc0e1a287a75e8cdc9711807c6008472dbb9
Instruction ID: 03991ef50c1cdc1947edd1d0bf9da16660927dd763c0b41cb42d654f0fd6bbd7
Opcode Fuzzy Hash: 919708f5ffdde2f57f521d6641e4cc0e1a287a75e8cdc9711807c6008472dbb9
Instruction Fuzzy Hash: 47113871B5030027E250AA7A9C86B5B76899B88748F14093FB546EB3C7EE7DDC09429D

Function 004952F4 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 00495358
OffsetRect.USER32(?,00000000,?), ref: 00495373
OffsetRect.USER32(?,?,00000000), ref: 0049538D
OffsetRect.USER32(?,00000000,?), ref: 004953A8

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 39b7304c59ecfeab53ef959acea8ec35100b2c2eb9a0585a5ab9f65ef9bb45fe
Instruction ID: af1c1dfc71d00ff4a9a929e8d6bf6bfabc08d13bc1b1844b1e7d273cf48c6b2a
Opcode Fuzzy Hash: 39b7304c59ecfeab53ef959acea8ec35100b2c2eb9a0585a5ab9f65ef9bb45fe
Instruction Fuzzy Hash: 94217CB6700701ABD700DE69CD85E5BB7DEEBC4344F24CA2AF954C7249D634ED0487A6

Function 00417228 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00417270
SetCursor.USER32(00000000), ref: 004172B3
GetLastActivePopup.USER32(?), ref: 004172DD
GetForegroundWindow.USER32(?), ref: 004172E4

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: ab2bc15dd938f987afbfcd80c1a154205083a351e68354f3dc1a1c3122339836
Instruction ID: a2974bbdd40a4ad71efed6c963999b1e78101043f5dd1c0306289f7dfca9f025
Opcode Fuzzy Hash: ab2bc15dd938f987afbfcd80c1a154205083a351e68354f3dc1a1c3122339836
Instruction Fuzzy Hash: 4321A1313082018BCB20AB69E985AE733B1EF44754B0545ABF854CB352D73CDC82CB89

Function 00494FAC Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(8B500000,00000008,?), ref: 00494FC1
MulDiv.KERNEL32(50142444,00000008,?), ref: 00494FD5
MulDiv.KERNEL32(F70577E8,00000008,?), ref: 00494FE9
MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00495007

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction ID: c81a7ae82503e1df060b9d2e8e6c822c04bb2cec442f3182d8fec1f0f0e8f71f
Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction Fuzzy Hash: 48112472604204ABCF50DE99C8C4D9B7BECEF4D320B1541A6F918DB246D674DD408BA4

Function 0041F490 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
RegisterClassA.USER32(00499598), ref: 0041F4E4
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 17400656b2714228e1ab5d36733c826c34e0b7aebe27f437723bcf7a68a21383
Instruction ID: e8d232a05c88a2160d81946a52d6ac90de0a8bd7e5396313334bc6410d622602
Opcode Fuzzy Hash: 17400656b2714228e1ab5d36733c826c34e0b7aebe27f437723bcf7a68a21383
Instruction Fuzzy Hash: 7B011B722401047BDA10EB6DED81E9B3799D719314B11413BBA15E72A1D7369C154BAC

Function 00454F68 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(00000001,00000032), ref: 00454F94
MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00454FB6
GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00454FC5
CloseHandle.KERNEL32(00000001,00454FF2,00454FEB,?,00000031,00000080,00000000,?,?,0045534B,00000080,0000003C,00000000,00455361), ref: 00454FE5

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 45540edf5afa8ba95db9dec670ac0957df4a9836c83591dc179b3e9a7f9926ac
Instruction ID: 44a5693fa59bfbe72ab063cfacecacb9b789a88f4d4f9747d0667cdf65a63c8e
Opcode Fuzzy Hash: 45540edf5afa8ba95db9dec670ac0957df4a9836c83591dc179b3e9a7f9926ac
Instruction Fuzzy Hash: 7201F9716046087EEB20979E8C06F6B7BACDF44774F610167F904DB2C2C6785D40C668

Function 0040D210 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047C7C4,0000000A,REGDLL_EXE), ref: 0040D241
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047C7C4), ref: 0040D25B
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78

Function 00401548 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,\],?,?,?,004018B4), ref: 00401566
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,\],?,?,?,004018B4), ref: 0040158B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,\],?,?,?,004018B4), ref: 004015B1

Strings

\], xrefs: 0040154B

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID: \]
API String ID: 3668210933-3890588557
Opcode ID: 4da9ee4765cce6e6c7be3d7cc9adf05dad1d6bab5239e3db9b33b19d934b365d
Instruction ID: ed10fda1d5a177d2a0c43996bc0be7fa2989f050302610c9045c0a13ae1d279a
Opcode Fuzzy Hash: 4da9ee4765cce6e6c7be3d7cc9adf05dad1d6bab5239e3db9b33b19d934b365d
Instruction Fuzzy Hash: AFF0C8716403206AEB315A294C85F133AD4DBC5754F104075BE09FF3DAD6B8980082AC

Function 0047009C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 004700ED

Strings

Setting NTFS compression on directory: %s, xrefs: 004700BB
Failed to set NTFS compression state (%d)., xrefs: 004700FE
Unsetting NTFS compression on directory: %s, xrefs: 004700D3

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: dfebb939fa925478a91c01d20c19499446f2cbe0988f19a8e93b7205f6de1292
Instruction ID: 8e5543267561a70d3fbbbef991b1365390ff1382f756d9cdf86c8bb39141f558
Opcode Fuzzy Hash: dfebb939fa925478a91c01d20c19499446f2cbe0988f19a8e93b7205f6de1292
Instruction Fuzzy Hash: C9011730E0928C96CF05D7ADA0412DDBBF4DF4D314F84C1AFA45DE7282DA790609879A

Function 00470848 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 00470899

Strings

Unsetting NTFS compression on file: %s, xrefs: 0047087F
Setting NTFS compression on file: %s, xrefs: 00470867
Failed to set NTFS compression state (%d)., xrefs: 004708AA

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 323dc33fe38fce2a535158e710f937577eac4405a22a140b88caf43724a8761b
Instruction ID: 78fa65e16581c334b53b8e167e27839d8ecb3154876bc13dabe901d18edf2e93
Opcode Fuzzy Hash: 323dc33fe38fce2a535158e710f937577eac4405a22a140b88caf43724a8761b
Instruction Fuzzy Hash: 5C01F430D092489ADB04A7E9A4412EDBBF49F09314F45C1ABA459E7282DAB9050947DB

Function 00455D88 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045BB12,?,?,?,?,?,00000000,0045BB39), ref: 00455DC4
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045BB12,?,?,?,?,?,00000000), ref: 00455DCD
RemoveFontResourceA.GDI32(00000000), ref: 00455DDA
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455DEE

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 5aa6bc1fef2ece3e1d74d37f8f7457d5ece9b91b834f41029562ebbb00b702db
Instruction ID: 88a6b2d0cd2ebf9d052afffcb5c4be27c29a8e8e48dcb03e602a07ae18d4e81c
Opcode Fuzzy Hash: 5aa6bc1fef2ece3e1d74d37f8f7457d5ece9b91b834f41029562ebbb00b702db
Instruction Fuzzy Hash: E3F05EB6B4470176EA10B6B69C8BF2B229C9F54745F10883BBA00EF2C3D97CDC04962D

Function 0047CA00 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0047CA21
GetLastError.KERNEL32 ref: 0047CA2B
GetTickCount.KERNEL32 ref: 0047CA35
Sleep.KERNEL32(00000032), ref: 0047CA45

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: b259759894679f81c91e5f8e49ac887a4ee880673b8cc13734a950e5130029b9
Instruction ID: e9c2c7e2fc271270d41d52dba3350464f1e42bdffd51bbfd166b1ef271046f5a
Opcode Fuzzy Hash: b259759894679f81c91e5f8e49ac887a4ee880673b8cc13734a950e5130029b9
Instruction Fuzzy Hash: 93E02B7130964845CA24B2BE28C37BF4A88CB8536AB14453FF08CD6242C42C4D05956E

Function 00478120 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB,00000000), ref: 00478129
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E,?,?,?,?,?,004986AB), ref: 0047812F
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E), ref: 00478151
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480D8E), ref: 00478162

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: fbd84f65280b9b42d2110702e409595f627c02f938f534a1f8f22361ecaea6e1
Instruction ID: 3331d84468cd062744280f6e1aa24963878bc2b2d96e3aea022572b3ec77581d
Opcode Fuzzy Hash: fbd84f65280b9b42d2110702e409595f627c02f938f534a1f8f22361ecaea6e1
Instruction Fuzzy Hash: 70F030716843016BD600EAB5CC82E9B77DCEB44754F04893E7E98D72C1DA79DC08AB66

Function 00424250 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 0042425C
IsWindowVisible.USER32(?), ref: 0042426D
IsWindowEnabled.USER32(?), ref: 00424277
SetForegroundWindow.USER32(?), ref: 00424281

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: 3290ed535df25d2f1ddaed747f1c047a4a496922c2b2cea1102cb49f09a67e5c
Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
Opcode Fuzzy Hash: 3290ed535df25d2f1ddaed747f1c047a4a496922c2b2cea1102cb49f09a67e5c
Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC

Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 00406287
GlobalUnlock.KERNEL32(00000000), ref: 0040628E
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
GlobalLock.KERNEL32(00000000), ref: 00406299

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D

Function 0047A064 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047B8D5,?,00000000,00000000,00000001,00000000,0047A301,?,00000000), ref: 0047A2C5

Strings

Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A139
Failed to parse "reg" constant, xrefs: 0047A2CC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: e0d6e35170bf7ee4b8178599f1d76f9c45a53d37f1d162d859c7bf4591e85c05
Instruction ID: 3bf0094b3715a844c7fa4d69accdb7e726d223c3dcefaf8b2e4f531663087c06
Opcode Fuzzy Hash: e0d6e35170bf7ee4b8178599f1d76f9c45a53d37f1d162d859c7bf4591e85c05
Instruction Fuzzy Hash: 5F814174E00149AFCB10DF95D881ADEBBF9EF48314F5081AAE814B7392D7389E05CB99

Function 0048300C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00483196,?,00000000,004831D7,?,?,?,?,00000000,00000000,00000000,?,0046C0D1), ref: 00483045
SetActiveWindow.USER32(?,00000000,00483196,?,00000000,004831D7,?,?,?,?,00000000,00000000,00000000,?,0046C0D1), ref: 00483057

Strings

Will not restart Windows automatically., xrefs: 00483176

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: f35973b3444d63abd30155c0fb60d5d87605f2a8390df662fe53ad2e28820558
Instruction ID: df9a9ae9a8219d8b6a1298420550b74bcee7fa449f44545fa147fc9774bd32fa
Opcode Fuzzy Hash: f35973b3444d63abd30155c0fb60d5d87605f2a8390df662fe53ad2e28820558
Instruction Fuzzy Hash: A7413330208340AED710FFA4DC9AB6E3BA4DB15F05F1408B7E9404B3A2D6BD5A04DB1D

Function 0046CEB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; aborting., xrefs: 0046CFCC
Failed to proceed to next wizard page; showing wizard., xrefs: 0046CFE0

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: f8b0d9f73654ae948dfe63457d27392de8d2a8ebea4116114edd3800fcdd02ea
Instruction ID: 63d40b18a6e87dbc706e62a2b7ed59e25ea13cd94e581da409b3f01416405f56
Opcode Fuzzy Hash: f8b0d9f73654ae948dfe63457d27392de8d2a8ebea4116114edd3800fcdd02ea
Instruction Fuzzy Hash: 9A319E30A08244DFD711EB99D989BA977F6EB05308F1500FBF0489B392D779AE40CB1A

Function 00478DB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,c6H,?,00000001,?,?,00483663,?,00000001,00000000), ref: 0042DE48

RegCloseKey.ADVAPI32(?,00478E9A,?,?,00000001,00000000,00000000,00478EB5), ref: 00478E83

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478E0E
%s\%s_is1, xrefs: 00478E2C

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 3c218534b7aea35313477da1420f505f75d4b79f6803eaf18b753309f41f968f
Instruction ID: 403b8390735a8e98fed73365c843d129082673b7d0193522817cb9849c55968d
Opcode Fuzzy Hash: 3c218534b7aea35313477da1420f505f75d4b79f6803eaf18b753309f41f968f
Instruction Fuzzy Hash: 79218470B40208AFDB01DFAACC55A9EBBE8EB48304F90847EE904E7381DB785D018A59

Function 00450154 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501E9
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045021A

Strings

open, xrefs: 0045020D

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: adeb5e276340ad6fa3d53176e38ffb5e58c1499704c489fbf40d86a9362c05b3
Instruction ID: 6e2feb9b457cb976a84d54f3b3258ed3b08e14d6ba220cef3ebd8abcd6e201e4
Opcode Fuzzy Hash: adeb5e276340ad6fa3d53176e38ffb5e58c1499704c489fbf40d86a9362c05b3
Instruction Fuzzy Hash: 62219474E40208AFDB00DFA5C886B9EB7F8EB44705F2081BAB514E7282D7789E05CB58

Function 0045527C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00455318
GetLastError.KERNEL32(0000003C,00000000,00455361,?,?,00000001,00000001), ref: 00455329

Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7

Strings

<, xrefs: 004552D2

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: 57012810d142c3df1a5160bec437aa7c33a0c7c828d826884eb3f35a8728d1b1
Instruction ID: ea799879bbb6ab716a70283d096866571a468ac1fa4b8cc73728b10af3e72d10
Opcode Fuzzy Hash: 57012810d142c3df1a5160bec437aa7c33a0c7c828d826884eb3f35a8728d1b1
Instruction Fuzzy Hash: 02215370A00609ABDB10DFA5D8926AE7BF8AF18355F50443AFC44E7281D7789949CB58

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02179364,00001860,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02179364,00001860,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02179364,00001860,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02179364,00001860,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C

Function 004964FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496539

Strings

@, xrefs: 00496504
/INITPROCWND=$%x , xrefs: 00496564

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: 552611a81f91654fc44d41bb0f0c519a98a2c07263e337a61ce07e3eab6c417a
Instruction ID: 8ac61a852f64af84e8a4d996ffe215da0ea6a1f7c0dd4c2642a2787a2d41e8fe
Opcode Fuzzy Hash: 552611a81f91654fc44d41bb0f0c519a98a2c07263e337a61ce07e3eab6c417a
Instruction Fuzzy Hash: C711A531A043089FDB01DF64E855BAE7BE8EB48324F52847BE404E7281DB3CE905CA58

Function 00447424 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 004474D6

Strings

NIL Interface Exception, xrefs: 00447478
Unknown Method, xrefs: 004474AF

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: 258d3c6477c64922ebec54d5f4264d59c03dbf12c3c57b46792931bb3fd1eaaf
Instruction ID: aafd2560cbf8ba646f5ae6954b41d26adab4393ec7197c17a1bba45f9511721b
Opcode Fuzzy Hash: 258d3c6477c64922ebec54d5f4264d59c03dbf12c3c57b46792931bb3fd1eaaf
Instruction Fuzzy Hash: 0811D6306042049FEB10DFA59D42A6EBBACEB49704F91403AF504E7681C7789D01CB69

Function 0042DD74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD88
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDC8

Strings

Inno Setup: No Icons, xrefs: 0042DD86

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: e0e38617d7780f69d75f26860b1501b2527d54a68fe4bf3310a8a6dfd5a7631c
Instruction ID: 05ef73584c9e0c756a5fead926ccd29af3c260b6948a855c27afe474e1c18ecb
Opcode Fuzzy Hash: e0e38617d7780f69d75f26860b1501b2527d54a68fe4bf3310a8a6dfd5a7631c
Instruction Fuzzy Hash: B2012B36F5A77179F73046256D02BBB56888B82B60F68453BF940EA2C0D6589C04C36E

Function 00497234 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 004555D0: GetCurrentProcess.KERNEL32(00000028), ref: 004555DF
Part of subcall function 004555D0: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555E5

SetForegroundWindow.USER32(?), ref: 00497266

Strings

Restarting Windows., xrefs: 00497243
Not restarting Windows because Uninstall is being run from the debugger., xrefs: 00497291

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
API String ID: 3179053593-4147564754
Opcode ID: 699fd1f27132e499a72d678966239612eac8b61dfe9d57f4c88cf0c32b356d0f
Instruction ID: f042dff5c045186d33be5417afa4f05d679b9763972d2bb00463d131ea403ed4
Opcode Fuzzy Hash: 699fd1f27132e499a72d678966239612eac8b61dfe9d57f4c88cf0c32b356d0f
Instruction Fuzzy Hash: FD01D8706282406BEB00EB65E981B9C3F99AB5430CF5040BBF900A72D3D73C9945871D

Function 004979D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0047CD84: FreeLibrary.KERNEL32(74A90000,004814B7), ref: 0047CD9A

Part of subcall function 0047CA54: GetTickCount.KERNEL32 ref: 0047CA9E

Part of subcall function 004570CC: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004570EB

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049832B), ref: 00497A29
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049832B), ref: 00497A2F

Strings

Detected restart. Removing temporary directory., xrefs: 004979E3

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: e611eeaa9fed28cadb8c69ef2edffd8a52967f1f4ce985551ff58b7f7fd4f302
Instruction ID: 93f06bea8fcfa1b224d7ac257058da4e76460d04d1e35911cc499d3d1c0dfa98
Opcode Fuzzy Hash: e611eeaa9fed28cadb8c69ef2edffd8a52967f1f4ce985551ff58b7f7fd4f302
Instruction Fuzzy Hash: 51E0553120C3002EDA02B7B2BC52A2F7F8CD701728311083BF40882452C43D1810C77D

Function 00455660 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 0045567F
Sleep.KERNEL32(?), ref: 0045568F
GetLastError.KERNEL32 ref: 004556A2
GetLastError.KERNEL32 ref: 004556AC

Memory Dump Source

Source File: 00000001.00000002.3383055145.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3382996228.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383320369.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383411799.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383442504.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3383511309.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Xzm9fAfKhB.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 11e49af8eca5aab8e77903997d46822470632a6293514e89f51700c73713890d
Instruction ID: a2606c7dd4c17da0a3c90c20a229de96912268129783a4208f21052e6a4fbdd3
Opcode Fuzzy Hash: 11e49af8eca5aab8e77903997d46822470632a6293514e89f51700c73713890d
Instruction Fuzzy Hash: 62F02436B01D64578F20A59E998193F63DDEA94376750013BFC0CDB303D438CC098AA9

Analysis Process: zextervideocodec32_64.exePID: 6236, Parent PID: 64COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	83.4%
Signature Coverage:	4.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	40

Executed Functions

Function 02C572AB Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 659
networksleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(0000EA60), ref: 02C56708
RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C56713
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C56724
_memset.LIBCMT ref: 02C56779
_memset.LIBCMT ref: 02C56788
InternetOpenA.WININET(?), ref: 02C572B5
InternetSetOptionA.WININET(00000000,00000002,?), ref: 02C572DD
InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02C572F5
InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02C5730D
_memset.LIBCMT ref: 02C5731D
InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02C57336
InternetReadFile.WININET(00000000,?,00001000,?), ref: 02C57358
InternetCloseHandle.WININET(00000000), ref: 02C57378
InternetCloseHandle.WININET(00000000), ref: 02C57383
_memset.LIBCMT ref: 02C573CB
RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C573EE
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C573FF
_malloc.LIBCMT ref: 02C57498
RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C574AA
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C574B6
_memset.LIBCMT ref: 02C574D0
_memset.LIBCMT ref: 02C574DF
_memset.LIBCMT ref: 02C574EF
_memset.LIBCMT ref: 02C57502
_memset.LIBCMT ref: 02C57518
_malloc.LIBCMT ref: 02C5758E
_memset.LIBCMT ref: 02C5759F
_strtok.LIBCMT ref: 02C575BF
_swscanf.LIBCMT ref: 02C575D6
_strtok.LIBCMT ref: 02C575ED
_free.LIBCMT ref: 02C575F9
Sleep.KERNEL32(000007D0), ref: 02C576F1
_memset.LIBCMT ref: 02C57765
RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C57772
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C57784
_sprintf.LIBCMT ref: 02C57822
RtlEnterCriticalSection.NTDLL(00000020), ref: 02C578E6
RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C5791A

Strings

updips, xrefs: 02C57441, 02C577D0
auth_ip, xrefs: 02C57563, 02C577F4
disconnect, xrefs: 02C57419, 02C57742
urls, xrefs: 02C57B36
auth_swith, xrefs: 02C57537
connect, xrefs: 02C57405, 02C57470
updurls, xrefs: 02C57455, 02C57B00
idle, xrefs: 02C5742D, 02C5779D
<htm, xrefs: 02C57391
, xrefs: 02C57A94
%d;, xrefs: 02C5781C
block, xrefs: 02C575A7
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02C56739

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
API String ID: 696907137-1839899575
Opcode ID: d7f0ae7db8e4c39c3d060bcd6e92c58028e86f19595901562096c9ef853cf5ab
Instruction ID: fc374c7ec84dc5856b1ee06eaac56818558e8bb2c3e89a23d0e1e829a4ba01fe
Opcode Fuzzy Hash: d7f0ae7db8e4c39c3d060bcd6e92c58028e86f19595901562096c9ef853cf5ab
Instruction Fuzzy Hash: CA3224315483919FE334AB20DC44BABB7EAAFC5314F14092DF98997291EB70D588CB5B

Function 02C5648B Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 228
memorysleeplibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(02C871E0), ref: 02C564BA
GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02C564D1
GetProcAddress.KERNEL32(00000000), ref: 02C564DA
GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02C564E9
GetProcAddress.KERNEL32(00000000), ref: 02C564EC
GetTickCount.KERNEL32 ref: 02C564F8

Part of subcall function 02C5605A: _malloc.LIBCMT ref: 02C56068

GetVersionExA.KERNEL32(02C87038), ref: 02C56525
_memset.LIBCMT ref: 02C56544
_malloc.LIBCMT ref: 02C56551

Part of subcall function 02C62F8C: __FF_MSGBANNER.LIBCMT ref: 02C62FA3
Part of subcall function 02C62F8C: __NMSG_WRITE.LIBCMT ref: 02C62FAA
Part of subcall function 02C62F8C: RtlAllocateHeap.NTDLL(00680000,00000000,00000001), ref: 02C62FCF

_malloc.LIBCMT ref: 02C56561
_malloc.LIBCMT ref: 02C5656C
_malloc.LIBCMT ref: 02C56577
_malloc.LIBCMT ref: 02C56582
_malloc.LIBCMT ref: 02C5658D
_malloc.LIBCMT ref: 02C56598
_malloc.LIBCMT ref: 02C565A7
GetProcessHeap.KERNEL32(00000000,00000004), ref: 02C565BE
RtlAllocateHeap.NTDLL(00000000), ref: 02C565C7
GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C565D6
RtlAllocateHeap.NTDLL(00000000), ref: 02C565D9
GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C565E4
RtlAllocateHeap.NTDLL(00000000), ref: 02C565E7
_memset.LIBCMT ref: 02C565FA
_memset.LIBCMT ref: 02C56606
_memset.LIBCMT ref: 02C56613
RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C56621
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C5662E
_malloc.LIBCMT ref: 02C56652
_malloc.LIBCMT ref: 02C56660
_malloc.LIBCMT ref: 02C56667
_malloc.LIBCMT ref: 02C5668D
QueryPerformanceCounter.KERNEL32(00000200), ref: 02C566A0
Sleep.KERNELBASE ref: 02C566AE
_malloc.LIBCMT ref: 02C566BA
_malloc.LIBCMT ref: 02C566C7
_memset.LIBCMT ref: 02C566DC
_memset.LIBCMT ref: 02C566EC
Sleep.KERNELBASE(0000EA60), ref: 02C56708
RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C56713
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C56724
_memset.LIBCMT ref: 02C56779
_memset.LIBCMT ref: 02C56788

Strings

ntdll.dll, xrefs: 02C564C6, 02C564D0, 02C564E1
strcat, xrefs: 02C564DC
sprintf, xrefs: 02C564CB
cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 02C5666F
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02C56739

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
API String ID: 2251652938-2678694477
Opcode ID: 69d785642b0dd562199989ae44901a6e2d380f748aca3ba6507a8fbac764dd81
Instruction ID: 9b3c9a478b33c95a81bbc1905ba420ced33ba5fa7f1f3e73f6cb1d6bdeda4eb7
Opcode Fuzzy Hash: 69d785642b0dd562199989ae44901a6e2d380f748aca3ba6507a8fbac764dd81
Instruction Fuzzy Hash: 4F71A2B1D48350AFE3206B309C89B6BBBE8EF45710F104929F98597281DBB99844DF96

Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B

Strings

o, xrefs: 00401BF2
iphlpapi.dll, xrefs: 00401B58
GetAdaptersInfo, xrefs: 00401B6E

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll$o
API String ID: 514930453-3667123677
Opcode ID: b984b7dde6bf878e61bd9d6389ae28c16a21e2d2acce5cac07de2378b9438879
Instruction ID: 38440359ad4724572ca0372a4bc8090c683b298b5ffde01d95b1867a6a9b844d
Opcode Fuzzy Hash: b984b7dde6bf878e61bd9d6389ae28c16a21e2d2acce5cac07de2378b9438879
Instruction Fuzzy Hash: F921B870904109AFEF119F65C9447EF7BB8EF41344F1440BAD504B22E1E7789985CB69

Function 02C5F97D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02C5F993
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C5F9AC
GetAdaptersInfo.IPHLPAPI(?,?), ref: 02C5F9D1
FreeLibrary.KERNEL32(00000000), ref: 02C5FA5A

Strings

GetAdaptersInfo, xrefs: 02C5F9A6
iphlpapi.dll, xrefs: 02C5F987

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll
API String ID: 514930453-3114217049
Opcode ID: 89862497a42279f6718455056c26ee2b7ab7c9ec41b8e8ff93d1262ebe51f68d
Instruction ID: 7848483bd22fc3de8e8923d8b3f783f6dc580320d21e63ecd6ecbcff59e4b9cd
Opcode Fuzzy Hash: 89862497a42279f6718455056c26ee2b7ab7c9ec41b8e8ff93d1262ebe51f68d
Instruction Fuzzy Hash: 9221EB71E40219ABDF15DB68D8846EEBBF89F46300F14416DED05E7611D730CA85CBA9

Function 02C5F879 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02C5F898
DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02C5F8D6
GetLastError.KERNEL32 ref: 02C5F937
CloseHandle.KERNELBASE(?), ref: 02C5F96E

Strings

\\.\PhysicalDrive0, xrefs: 02C5F891

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLast
String ID: \\.\PhysicalDrive0
API String ID: 4026078076-1180397377
Opcode ID: 088a673d7d859c8ae5607e4cbf86383995eb187402adcfd9435aa82064e40fe1
Instruction ID: 21e3e473c8830b77b452e6ad140336fed2d2badfc4d416376d64b9c2923494a5
Opcode Fuzzy Hash: 088a673d7d859c8ae5607e4cbf86383995eb187402adcfd9435aa82064e40fe1
Instruction Fuzzy Hash: A731F471E00629BBDB18DF95D884BAEBBB9FF46714F20416EE904A3640D7709B44CBD4

Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
GetLastError.KERNEL32 ref: 00401B0E
CloseHandle.KERNELBASE(?), ref: 00401B3D

Strings

\\.\PhysicalDrive0, xrefs: 00401A63

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLast
String ID: \\.\PhysicalDrive0
API String ID: 4026078076-1180397377
Opcode ID: 3afb43cc3dedd2849d90584800b0b4b1cc754ecdd9339dbac4238ad8ee4012bf
Instruction ID: fc4aaa1cf60edb7db06fdbd05dea25136cd7d186831ecbc7bbbcf924abbffa34
Opcode Fuzzy Hash: 3afb43cc3dedd2849d90584800b0b4b1cc754ecdd9339dbac4238ad8ee4012bf
Instruction Fuzzy Hash: 74318B71D00218EADB21AFA5CD849EFBBB9FF41750F20407AE554B32A0E7785E45CB98

Function 00402199 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpiW.KERNELBASE ref: 00402199
StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040D15A
lstrcmpiW.KERNEL32(?,0040915C), ref: 0040D764

Strings

test, xrefs: 0040D9CA

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: lstrcmpi$CtrlDispatcherServiceStart
String ID: test
API String ID: 2172614945-3632233996
Opcode ID: 5ae61f63a8e06413efbf1cbc6131c1c7aae20cf67e079e7d3b8cd5e39f076596
Instruction ID: e6d18fb5675363f103dcfed14c989fe5127fa8abfa2e43cfdb745462f06fff5f
Opcode Fuzzy Hash: 5ae61f63a8e06413efbf1cbc6131c1c7aae20cf67e079e7d3b8cd5e39f076596
Instruction Fuzzy Hash: 0FF068B4E08201EAEB106FB19E4C67E7754BB09301B30847BA447B11D1CB7C450E6A9F

Function 0040D487 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/chk, xrefs: 0040D505

Memory Dump Source

Source File: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID:
String ID: /chk
API String ID: 0-3837807730
Opcode ID: 29d1cf7ffd5baad62fb2cddb07dcb7a5a4ece1c976db70669faed20f2cdf337e
Instruction ID: 025942cb242d3d5260985c598898fe5e06497644a84d452e8f5b1ec8b5760f88
Opcode Fuzzy Hash: 29d1cf7ffd5baad62fb2cddb07dcb7a5a4ece1c976db70669faed20f2cdf337e
Instruction Fuzzy Hash: 8901DCB6C1C902E5E7114AD44D8A8BB2B6CE80A30C7244433D287BA4C3DA7C944F914E

Function 02C56391 Relevance: 72.0, APIs: 39, Strings: 2, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 02C5666F
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02C56739

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID:
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d
API String ID: 0-3100210275
Opcode ID: 153a76e445829bf015b070ebd64ed1d13c8fff9293354526e4cf1e98cee6a1f2
Instruction ID: ca78f749bc63aaf45cb5147b512dc156acdf74ff42dcd31d27e6eddf80bb39c7
Opcode Fuzzy Hash: 153a76e445829bf015b070ebd64ed1d13c8fff9293354526e4cf1e98cee6a1f2
Instruction Fuzzy Hash: 59A104718483609FD324AF349C89B6BFBE4EF86314F20095EF98497281DB758949CB97

Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
GetLastError.KERNEL32 ref: 00401F86
SizeofResource.KERNEL32(00000000), ref: 00401F93
LoadResource.KERNEL32(00000000), ref: 00401FAD
LockResource.KERNEL32(00000000), ref: 00401FB4
GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
GetTickCount.KERNEL32 ref: 00401FFB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
String ID:
API String ID: 564119183-0
Opcode ID: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
Instruction ID: 5f40b5bb2c798fd06435bc38b1d437300a77b6e6fc54339f6675bf13ecd45336
Opcode Fuzzy Hash: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
Instruction Fuzzy Hash: 45314E71A00255AFDB105FB59F8896F7F68EF45344F10807AFE86F7281DA748845C7A8

Function 00402EB0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00402ED6

Part of subcall function 00403FF4: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F0F,00000000), ref: 00404005
Part of subcall function 00403FF4: HeapDestroy.KERNEL32 ref: 00404044

GetCommandLineA.KERNEL32 ref: 00402F24
GetStartupInfoA.KERNEL32(?), ref: 00402F4F
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402F72

Part of subcall function 00402FCB: ExitProcess.KERNEL32 ref: 00402FE8

Strings

Y, xrefs: 00402F3E
@6h, xrefs: 00402F2A

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: @6h$Y
API String ID: 2057626494-1877685705
Opcode ID: bde1f74d60b81ae7252d13bfcbc661632079e5aa7379041ec1857b7291440294
Instruction ID: ae24bdd31f92ba5c0019e7eb98566f973638ce5b9b082510a96f2684413349a7
Opcode Fuzzy Hash: bde1f74d60b81ae7252d13bfcbc661632079e5aa7379041ec1857b7291440294
Instruction Fuzzy Hash: 3721A1B1840615ABDB14AFA6DE4AA6E7FB8EF44705F10413FF501B72D1DB384500CB58

Function 0040276D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE(?,Common AppData), ref: 00402792

Strings

Common AppData, xrefs: 004027CB

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: QueryValue
String ID: Common AppData
API String ID: 3660427363-2574214464
Opcode ID: 158ae254c2c16aa740a981b966b7fddd2cbe96f16fcdc6f9a27de899f2d968d4
Instruction ID: 9a277ccd48b8da7b9e07736cee9e399eb09a3ecf5512108b267f3c7f6d774d12
Opcode Fuzzy Hash: 158ae254c2c16aa740a981b966b7fddd2cbe96f16fcdc6f9a27de899f2d968d4
Instruction Fuzzy Hash: FFE09270C18104EBCB010BE04E0897E37747A087257314E77E423760E1C7BE580AB69F

Function 02C51AA9 Relevance: 4.5, APIs: 3, Instructions: 18
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedIncrement.KERNEL32(02C872AC), ref: 02C51ABA
WSAStartup.WS2_32(00000002,00000000), ref: 02C51ACB
InterlockedExchange.KERNEL32(02C872B0,00000000), ref: 02C51AD7

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Interlocked$ExchangeIncrementStartup
String ID:
API String ID: 1856147945-0
Opcode ID: 0dc8780c7c47b5a12c2f4dd569edb5f3b8e454c1868d439314f214d4ef8c0fd7
Instruction ID: 80aa5ba344de8d5a2228135c679c00bf9b5537c4ebf31b7937dd1879f2a010d7
Opcode Fuzzy Hash: 0dc8780c7c47b5a12c2f4dd569edb5f3b8e454c1868d439314f214d4ef8c0fd7
Instruction Fuzzy Hash: 61D05E7599021CABE32176A0AC0EB78F72CF705625F100765FC6AC00C0EA90562C86E7

Function 0040279F Relevance: 4.5, APIs: 3, Instructions: 12
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 0040279F
CommandLineToArgvW.SHELL32(00000000), ref: 00402895
GetLocalTime.KERNEL32(0040C2B8), ref: 0040D9FE

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: CommandLine$ArgvLocalTime
String ID:
API String ID: 3768950922-0
Opcode ID: b9f1d27c841553a6286a37432cf0b285126cb2c39f5f0c794a39fb817397f4e9
Instruction ID: de3cc8fe9ec75cbd48575bc385f6373e9aba7dd0c2470f36669371c28cae3d1f
Opcode Fuzzy Hash: b9f1d27c841553a6286a37432cf0b285126cb2c39f5f0c794a39fb817397f4e9
Instruction Fuzzy Hash: 5ED09271805102EFC3042BE09F0812936A4AA093453610A3EE243B51E0CB78104EAB2E

Function 0040D19E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(80000002,Software\SmallTour), ref: 0040D52A

Strings

Software\SmallTour, xrefs: 0040D19F

Memory Dump Source

Source File: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Create
String ID: Software\SmallTour
API String ID: 2289755597-3113880327
Opcode ID: eb4e32b9e61e82fc7f8fc0274ee4e68f45f73c1359f364c673ce3dd768ed4775
Instruction ID: 927dd9ebb52ca5c25177259832990301b57c9ecb35a80484e5a468b18b7f84d1
Opcode Fuzzy Hash: eb4e32b9e61e82fc7f8fc0274ee4e68f45f73c1359f364c673ce3dd768ed4775
Instruction Fuzzy Hash: E101A736D04101EBD6404B70BE61AE27BB5A716B95724417BD592731A3D238890BDA2E

Function 0040D243 Relevance: 3.0, APIs: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNELBASE(?), ref: 0040D5C1
RegCloseKey.KERNELBASE(?), ref: 0040D5CA

Memory Dump Source

Source File: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: CloseValue
String ID:
API String ID: 3132538880-0
Opcode ID: 713251547485dac0a2bbd8a3e555094c32b96ee7312fc95f47136c58e5ae1e1e
Instruction ID: e6331f095b514331b0d29c0ebab7d5f4f3fc4baceba449352ef9d25cf3a5f709
Opcode Fuzzy Hash: 713251547485dac0a2bbd8a3e555094c32b96ee7312fc95f47136c58e5ae1e1e
Instruction Fuzzy Hash: 53F06236D05141DBC7054BB0FE61AA57BF1B65ABA1325813AD58272272C334890ADB19

Function 00403FF4 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F0F,00000000), ref: 00404005

Part of subcall function 00403EAC: GetVersionExA.KERNEL32 ref: 00403ECB

HeapDestroy.KERNEL32 ref: 00404044

Part of subcall function 004043CB: HeapAlloc.KERNEL32(00000000,00000140,0040402D,000003F8), ref: 004043D8

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
Instruction ID: b1684c5e0161eeb02f30399066ba6d75b4260e35b9d13e26dc8fbe5d47634710
Opcode Fuzzy Hash: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
Instruction Fuzzy Hash: F5F092F0656301DAEB301B75AE46B3A39949BC0796F20443BF740F91E1EF7C8481960D

Function 0040D56B Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(?), ref: 0040D5CA

Memory Dump Source

Source File: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 602ae3e857ddb9a477b990e8c51bbb5b03d0f4ff67d1b8e24c6534ee993f563a
Instruction ID: a36abb13542148fe0e2184bce6fc4a30d84a4443659d953cd64425ef62fa15e7
Opcode Fuzzy Hash: 602ae3e857ddb9a477b990e8c51bbb5b03d0f4ff67d1b8e24c6534ee993f563a
Instruction Fuzzy Hash: 47117139904252DBC3018B74EE55AA57FB0F61B750318457AC8D162363C334DD0BDB5C

Function 0040D553 Relevance: 1.6, APIs: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(?), ref: 0040D5CA

Memory Dump Source

Source File: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e6f74f1aae8f8915e941b36548827f360267f7e4e505bab853985922fbd2a965
Instruction ID: b75ff2dc20aaa2e6f21dbf5a413c5fb9bbeedf7bbd5764e02b2ca00ed5a47c52
Opcode Fuzzy Hash: e6f74f1aae8f8915e941b36548827f360267f7e4e505bab853985922fbd2a965
Instruction Fuzzy Hash: E201F53A8052629BCB018B74FE61691BFB1F65A7A1324427AD5D263273C7358C0BC758

Function 02CBF515 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 02CEF8BE

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C8A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c8a000_zextervideocodec32_64.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 176542e9f48ebae08642a828cca8b9952e713307d605857cae1e8d1fc4cedf0f
Instruction ID: 5b30e7554225d64f0d92fdd1bb9a0f3548dd08dc0d1ff28b552236511e0287e4
Opcode Fuzzy Hash: 176542e9f48ebae08642a828cca8b9952e713307d605857cae1e8d1fc4cedf0f
Instruction Fuzzy Hash: 3D1109B211CA049FD719AF29E886779FBE8EF48710F06092DE6C5C3740EA315444CA9B

Function 004025D4 Relevance: 1.5, APIs: 1, Instructions: 41libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE ref: 004025DA

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c377e47094d1c1f418745f8923c2daa3cfa784174354ddc77f39fa208488e0e1
Instruction ID: dad39ec4c4a36b0a020ba36cb40b54c5f2fcb52c5045fa4b7e1fd514a1d859ca
Opcode Fuzzy Hash: c377e47094d1c1f418745f8923c2daa3cfa784174354ddc77f39fa208488e0e1
Instruction Fuzzy Hash: 02014B34A0030ACBDB14CFA9D8D0B9637A0BB05750F6446AAD965EB295D734D90ACF26

Function 00402342 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 0040D5F3

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: c990979c1844e3b86e7c6809e5fb8eb5e46c0e9cbd060de99f8df69504127ef8
Instruction ID: 32c96c72d1fdc658770ac6147e863496cde44dd24ac3f560ed056d496bb7c34d
Opcode Fuzzy Hash: c990979c1844e3b86e7c6809e5fb8eb5e46c0e9cbd060de99f8df69504127ef8
Instruction Fuzzy Hash: A1C08CA494C216F9D00025A00F8CF33215C8700788B20817B3903B10C1C4BC948BF03F

Function 02C561F5 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C56203

Part of subcall function 02C62F8C: __FF_MSGBANNER.LIBCMT ref: 02C62FA3
Part of subcall function 02C62F8C: __NMSG_WRITE.LIBCMT ref: 02C62FAA
Part of subcall function 02C62F8C: RtlAllocateHeap.NTDLL(00680000,00000000,00000001), ref: 02C62FCF

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: dc7c132d67aafab87397cbb161f38c27fba4595563d512ad060e5800187056c7
Instruction ID: b08e9e7a8e30076cdf01a79fcbf3215a3aef6897d6ddfbb69aa5b512d356ed5c
Opcode Fuzzy Hash: dc7c132d67aafab87397cbb161f38c27fba4595563d512ad060e5800187056c7
Instruction Fuzzy Hash: 72C0127090920A7F870CAAA9188585FBDBC9704701F10416DA50596281D570094085A6

Function 0040220B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE ref: 0040220C

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 4bd4fa03f0a192a976a056be9e61e5c0d78db41fa319a90d6d207b85695bff87
Instruction ID: eeb2a21f5a177b313222c4024f32d818217300d85d52e7011245ffeeed06a56a
Opcode Fuzzy Hash: 4bd4fa03f0a192a976a056be9e61e5c0d78db41fa319a90d6d207b85695bff87
Instruction Fuzzy Hash: B0B0927408A924E2C60223B00F1DDAF202C2E0A781331807BB682700D14AFC1A0B22BF

Function 0040230D Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE ref: 0040230D

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ac16492dc500231346d158f7620a563ccfadfa18a928bd35894e83afd742e737
Instruction ID: a130fa5e48b560970f07615ca9469a598ec7d6b9975e09baeb9bbecdfdaf3fbf
Opcode Fuzzy Hash: ac16492dc500231346d158f7620a563ccfadfa18a928bd35894e83afd742e737
Instruction Fuzzy Hash: 93C00230A18116DBD7448AF18B482AA66A46B40348F6149BB9417B25C0E7BD968E6A1F

Function 00402858 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00402858

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a7b0b7e89708bd837af10ae4be236a98302593f610d11f17fd14d8da2e32efd4
Instruction ID: 942287d6cc7425515ac5a4c5928e916850624a1805b0f3c2f8add6f4f2a1b579
Opcode Fuzzy Hash: a7b0b7e89708bd837af10ae4be236a98302593f610d11f17fd14d8da2e32efd4
Instruction Fuzzy Hash: 6E9002302044129AC6900E105B9C018255351403163610439D786E40E4CA744489A51E

Function 02C99483 Relevance: 1.4, APIs: 1, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 02CF092E

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C8A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c8a000_zextervideocodec32_64.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 04bb44353ebf7b4c18ad34af7d129917bc4d122c9551fc33667139dc8f5d175e
Instruction ID: 54f94ecbd3998e8eb15ff03187884fb64093822161b4d6d0c7dafefc9cd4af21
Opcode Fuzzy Hash: 04bb44353ebf7b4c18ad34af7d129917bc4d122c9551fc33667139dc8f5d175e
Instruction Fuzzy Hash: 8C318FB290D610AFE3056E19DC81BBAB7E8EF58760F06492EEAC5C3200E6355840C6D7

Function 0040222F Relevance: 1.3, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0040D026

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7b6db3901bd67a4416983e2a8edd626fbd5c53e8406e17de7cd64e884ba0ab48
Instruction ID: 19d457f24e78600376c53a8485c156f40cee28a1337523e6f748313ffbe2c5e4
Opcode Fuzzy Hash: 7b6db3901bd67a4416983e2a8edd626fbd5c53e8406e17de7cd64e884ba0ab48
Instruction Fuzzy Hash: E9214935808242DBD704CFB4EE917A17BB0B705750F28827BC596B31E2C378890ADB1E

Function 004027E3 Relevance: 1.3, APIs: 1, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 0040D62B

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1dd41e6686bd822ea595729d237ab53c9cdcc9704c691854a431aa7eaaa3c26a
Instruction ID: 0b6dd63b63fbbc38307b0e82f0bb62100026e0ae42352c4b099ee0d801dcd9a1
Opcode Fuzzy Hash: 1dd41e6686bd822ea595729d237ab53c9cdcc9704c691854a431aa7eaaa3c26a
Instruction Fuzzy Hash: 33E0D861C0C7C0AFC3022A604A58A79BB18BF29304F2519B7E442761D1E43E0807A77F

Function 004026BA Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 004026C3

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eedf54f1546ecde272d8f04992911208c152afd1baa7028af89c0e707a28f26e
Instruction ID: 74f137ddbcde1c77c26fe787cba9ddbea217936d1492596de739919d1302819c
Opcode Fuzzy Hash: eedf54f1546ecde272d8f04992911208c152afd1baa7028af89c0e707a28f26e
Instruction Fuzzy Hash: D5E0C271C14304AFC7019B248D8469EB7F4AF05320F018A6AF175B32C0C77C6929DBDA

Function 00402222 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 004026C3

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 439dd529b9abb2b2adc7dce84e893a85a3a44bed3194729940265dbcb0abde27
Instruction ID: d24ba4203171b81c8d1ff0907d4106163ffdccce9a791f9bef02934f7126e645
Opcode Fuzzy Hash: 439dd529b9abb2b2adc7dce84e893a85a3a44bed3194729940265dbcb0abde27
Instruction Fuzzy Hash: D5D0C2318002049FD300AB408A45BAAB3B0BB04300F10803AE051721C0C3B858299BDA

Function 00402865 Relevance: 1.3, APIs: 1, Instructions: 5sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 0040D62B

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: df2313319e77dccb116f50e8ab8f6206455693badbc0acb58ba5efbf54a0ed84
Instruction ID: eea654838261cd072344f1549b98415cc54984fc4591f7fcd9b81e2a24225462
Opcode Fuzzy Hash: df2313319e77dccb116f50e8ab8f6206455693badbc0acb58ba5efbf54a0ed84
Instruction Fuzzy Hash: 10A00131E88A0096E6402AE46F1AB3A2620BB05B01F26192B624A784D449BE144A6B9B

Non-executed Functions

Function 02C608A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON

Download Yara Rule

APIs

Part of subcall function 02C59AAF: __EH_prolog.LIBCMT ref: 02C59AB4
Part of subcall function 02C59AAF: _Allocate.LIBCPMT ref: 02C59B0B
Part of subcall function 02C59AAF: _memmove.LIBCMT ref: 02C59B62

_memset.LIBCMT ref: 02C60919
FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02C60982
GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02C6098A

Strings

Unknown error, xrefs: 02C609D9
invalid string position, xrefs: 02C60AD6

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
String ID: Unknown error$invalid string position
API String ID: 1854462395-1837348584
Opcode ID: bcd34afd868bd55e7d5c3f70e6c24d69de4f9cfcab1044d305f0cb6671ac5c22
Instruction ID: 645ab9288d2bdfc5d51da7482b09ed64adc5fde8cfa30c6cd48e0d6ba174e945
Opcode Fuzzy Hash: bcd34afd868bd55e7d5c3f70e6c24d69de4f9cfcab1044d305f0cb6671ac5c22
Instruction Fuzzy Hash: D951BD70248341DFE714CF25C894B2FBBE5BB98748F50092DE482A7692D772D688CB96

Function 00402170 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040D15A

Strings

test, xrefs: 0040D9CA

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID: test
API String ID: 3789849863-3632233996
Opcode ID: 62d4dfb808210626677f020231cc8997fd32626447a6781c4c939b5edb5d32bc
Instruction ID: 73591cfe463514ed459f964e2c340f9966edd9af912481339b9f9d215462bc13
Opcode Fuzzy Hash: 62d4dfb808210626677f020231cc8997fd32626447a6781c4c939b5edb5d32bc
Instruction Fuzzy Hash: EEE01274D08344E9EB10DFA08A489796774AB45300B308077D50AB62D5C77D4E4F7A0F

Function 0040D3E8 Relevance: 3.0, APIs: 2, Instructions: 9serviceCOMMON

Download Yara Rule

APIs

CreateServiceA.ADVAPI32 ref: 0040D3E8
CloseServiceHandle.ADVAPI32(?), ref: 0040D3F9

Memory Dump Source

Source File: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Service$CloseCreateHandle
String ID:
API String ID: 1873643653-0
Opcode ID: dbbf10d3d4f90bdd11982929392454f3b4702c9dbdfe5cd029521d635c4322fa
Instruction ID: 569c7dc1a6a3224979b4ee1e760b0c65d326e05aa0229ed68e38a6959c0f0250
Opcode Fuzzy Hash: dbbf10d3d4f90bdd11982929392454f3b4702c9dbdfe5cd029521d635c4322fa
Instruction Fuzzy Hash: D8C08C30808000EBCF209FA09F0C4183630A38032032280B9E082B20A0CB389D0EBB2C

Function 02C69508 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,02C64E76,?,?,?,00000001), ref: 02C6950D
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02C69516

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 308ef0e0d73ab8185c7f95aaed134036eecee4c7c04848c8255b4a9a9744a885
Instruction ID: 90f6ad015ad1614c4d369e3cb6a0f2473d2fa2541db98a24d824a325cd900c37
Opcode Fuzzy Hash: 308ef0e0d73ab8185c7f95aaed134036eecee4c7c04848c8255b4a9a9744a885
Instruction Fuzzy Hash: 07B0923148420CEBCB012B91EC0DB89BF28FB046A2F004910F60E440508B6254289AE1

Function 02C51CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C51D11
GetLastError.KERNEL32 ref: 02C51D23

Part of subcall function 02C51712: __EH_prolog.LIBCMT ref: 02C51717

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C51D59
GetLastError.KERNEL32 ref: 02C51D6B
__beginthreadex.LIBCMT ref: 02C51DB1
GetLastError.KERNEL32 ref: 02C51DC6
CloseHandle.KERNEL32(00000000), ref: 02C51DDD
CloseHandle.KERNEL32(00000000), ref: 02C51DEC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02C51E14
CloseHandle.KERNEL32(00000000), ref: 02C51E1B

Strings

thread.exit_event, xrefs: 02C51D84
thread, xrefs: 02C51DFB
thread.entry_event, xrefs: 02C51D3C

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 831262434-3017686385
Opcode ID: 2d94d03022bbc0dedb44d478e1fb0e4d4e9bc766f13aaad035c7019da59bd27e
Instruction ID: 57044fe7f9fd87190811dc0d0f0714d48c03d6b995dc70f364bd08580eda8489
Opcode Fuzzy Hash: 2d94d03022bbc0dedb44d478e1fb0e4d4e9bc766f13aaad035c7019da59bd27e
Instruction Fuzzy Hash: D831AB719403159FD700EF24C888B2BBBA9FB84750F144A6DF8599B291DBB0D989CFD2

Function 02C524E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C524E6
InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02C524FC
RtlEnterCriticalSection.NTDLL(?), ref: 02C5250E
RtlLeaveCriticalSection.NTDLL(?), ref: 02C5256D
SetLastError.KERNEL32(00000000,?,7622DFB0), ref: 02C5257F
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7622DFB0), ref: 02C52599
GetLastError.KERNEL32(?,7622DFB0), ref: 02C525A2
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C525F0
InterlockedDecrement.KERNEL32(00000002), ref: 02C5262F
InterlockedExchange.KERNEL32(00000000,00000000), ref: 02C5268E
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C52699
InterlockedExchange.KERNEL32(00000000,00000001), ref: 02C526AD
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7622DFB0), ref: 02C526BD
GetLastError.KERNEL32(?,7622DFB0), ref: 02C526C7

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
String ID:
API String ID: 1213838671-0
Opcode ID: a6f9e745d49c7ce74c10b4690dba00d693bef7f29dd941fd427719b59fbae4e2
Instruction ID: 44cbee8cdffd3ea9eae4f97cc3434d37220da3a1a253e20cc607f42955f88e50
Opcode Fuzzy Hash: a6f9e745d49c7ce74c10b4690dba00d693bef7f29dd941fd427719b59fbae4e2
Instruction Fuzzy Hash: D0612F71940219AFCB11DFA4C988AAEFBF9FF48310F10456AE916E3240D734DA58CFA5

Function 02C54603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C54608

Part of subcall function 02C63B2C: _malloc.LIBCMT ref: 02C63B44

htons.WS2_32(?), ref: 02C54669
htonl.WS2_32(?), ref: 02C5468C
htonl.WS2_32(00000000), ref: 02C54693
htons.WS2_32(00000000), ref: 02C54747
_sprintf.LIBCMT ref: 02C5475D

Part of subcall function 02C58962: _memmove.LIBCMT ref: 02C58982

htons.WS2_32(?), ref: 02C546B0

Part of subcall function 02C5970D: __EH_prolog.LIBCMT ref: 02C59712
Part of subcall function 02C5970D: RtlEnterCriticalSection.NTDLL(00000020), ref: 02C5978D
Part of subcall function 02C5970D: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C597AB

Part of subcall function 02C51BA7: __EH_prolog.LIBCMT ref: 02C51BAC
Part of subcall function 02C51BA7: RtlEnterCriticalSection.NTDLL ref: 02C51BBC
Part of subcall function 02C51BA7: RtlLeaveCriticalSection.NTDLL ref: 02C51BEA
Part of subcall function 02C51BA7: RtlEnterCriticalSection.NTDLL ref: 02C51C13
Part of subcall function 02C51BA7: RtlLeaveCriticalSection.NTDLL ref: 02C51C56

Part of subcall function 02C5DEC9: __EH_prolog.LIBCMT ref: 02C5DECE

htonl.WS2_32(?), ref: 02C5497C
htonl.WS2_32(00000000), ref: 02C54983
htonl.WS2_32(00000000), ref: 02C549C8
htonl.WS2_32(00000000), ref: 02C549CF
htons.WS2_32(?), ref: 02C549EF
htons.WS2_32(?), ref: 02C549F9

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
String ID:
API String ID: 1645262487-0
Opcode ID: c5b29de529f0a7f1588f5821a89284f6f983722372847f609888acf048cd748d
Instruction ID: 85de4fb93ade5ee6df39a077537342dacfd431950673fb46312e42276f0e479a
Opcode Fuzzy Hash: c5b29de529f0a7f1588f5821a89284f6f983722372847f609888acf048cd748d
Instruction Fuzzy Hash: 67024A71C00269EEDF25DFA4C844BEEBBB9AF14304F10415AE905B7280DB749AC8DFA5

Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(EMAIL Safe Storage 10.2.46,Function_0000235E), ref: 004023C1
SetServiceStatus.ADVAPI32(0040C408), ref: 00402420
GetLastError.KERNEL32 ref: 00402422
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
GetLastError.KERNEL32 ref: 00402450
SetServiceStatus.ADVAPI32(0040C408), ref: 00402480
CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
CloseHandle.KERNEL32 ref: 004024A1
SetServiceStatus.ADVAPI32(0040C408), ref: 004024CA

Strings

EMAIL Safe Storage 10.2.46, xrefs: 004023BC

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
String ID: EMAIL Safe Storage 10.2.46
API String ID: 3346042915-4190116034
Opcode ID: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
Instruction ID: b8fe7bda3a7dcfcb82ad829e681adc6a99cb3bee06a9baca5ac2dc3afb04543b
Opcode Fuzzy Hash: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
Instruction Fuzzy Hash: E121C570441214EBC2105F16EFE9A267FA8FBD5794711823EE544B22B2CBB90549CFAD

Function 02C68312 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 02C6831A
_free.LIBCMT ref: 02C68333

Part of subcall function 02C62F54: HeapFree.KERNEL32(00000000,00000000,?,02C65CB2,00000000,00000104,76230A60), ref: 02C62F68
Part of subcall function 02C62F54: GetLastError.KERNEL32(00000000,?,02C65CB2,00000000,00000104,76230A60), ref: 02C62F7A

_free.LIBCMT ref: 02C68346
_free.LIBCMT ref: 02C68364
_free.LIBCMT ref: 02C68376
_free.LIBCMT ref: 02C68387
_free.LIBCMT ref: 02C68392
_free.LIBCMT ref: 02C683B6
RtlEncodePointer.NTDLL(006A55F0), ref: 02C683BD
_free.LIBCMT ref: 02C683D2
_free.LIBCMT ref: 02C683E8
_free.LIBCMT ref: 02C68410

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: b1fcc4b72bd0e856b39f738845ecbe3bf1b424b81d289e15d6eabdc6389044e4
Instruction ID: 747e24352521fca97d547742c84c7d57d6f2604984f8d09b8c9546d0672bdef4
Opcode Fuzzy Hash: b1fcc4b72bd0e856b39f738845ecbe3bf1b424b81d289e15d6eabdc6389044e4
Instruction Fuzzy Hash: 7B216D32D442608FDB25AF14ECC87257B69BB447243298B39E80CA7240CB35996DDF9A

Function 02C54D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C54D8B
RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C54DB7
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C54DC3

Part of subcall function 02C54BED: __EH_prolog.LIBCMT ref: 02C54BF2
Part of subcall function 02C54BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02C54CF2

RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C54E93
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C54E99
RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C54EA0
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C54EA6
RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C550A7
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C550AD
RtlEnterCriticalSection.NTDLL(02C871E0), ref: 02C550B8
RtlLeaveCriticalSection.NTDLL(02C871E0), ref: 02C550C1

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
String ID:
API String ID: 2062355503-0
Opcode ID: 518a575f772c8c33978a5a93cc011fa56d3df6515b8e9775766b5bb26ec8abde
Instruction ID: 6bfe04dfe1d805d6b4ee9143bf5da1e6e6ab9268bdd42a50eda7ffd4cf8f5e24
Opcode Fuzzy Hash: 518a575f772c8c33978a5a93cc011fa56d3df6515b8e9775766b5bb26ec8abde
Instruction Fuzzy Hash: 52B16E75D0026DDFDF25DF90C844BEEBBB5AF44314F20419AE80576280DBB49A89CF95

Function 00403BA2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BBD
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BD1
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403BFD
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C35
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C57
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402F34), ref: 00403C70
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F34), ref: 00403C83
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403CC1

Strings

4/@, xrefs: 00403C6B, 00403C5D

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: 4/@
API String ID: 1823725401-3101945251
Opcode ID: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
Instruction ID: a2970ceca2a6c3f976dc545d3d2173026391ae6ff2d108e1c7f08cdddd2a955e
Opcode Fuzzy Hash: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
Instruction Fuzzy Hash: AD31F27350C1245EE7202F785DC883B7E9CEA4534A711093FF942F3380EA798E81466D

Function 02C53423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C53428
GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02C5346B
GetProcAddress.KERNEL32(00000000), ref: 02C53472
GetLastError.KERNEL32 ref: 02C53486
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02C534D7
RtlEnterCriticalSection.NTDLL(00000018), ref: 02C534ED
RtlLeaveCriticalSection.NTDLL(00000018), ref: 02C53518

Strings

KERNEL32, xrefs: 02C53466
CancelIoEx, xrefs: 02C53461

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
String ID: CancelIoEx$KERNEL32
API String ID: 2902213904-434325024
Opcode ID: 2156e044d73269b2257001e2f94dcbd800f71347ace1c1dfedb2ecd70b2f5e57
Instruction ID: 1c807776661db9f62c06b9f1869c34f68530cb8ce58722a09e2e89cce8684232
Opcode Fuzzy Hash: 2156e044d73269b2257001e2f94dcbd800f71347ace1c1dfedb2ecd70b2f5e57
Instruction Fuzzy Hash: 1931ADB1900359DFDB019F68C884BAABBF9FF88350F0085A9EC06AB241D770D944CFA1

Function 00406578 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404381,?,Microsoft Visual C++ Runtime Library,00012010,?,0040858C,?,004085DC,?,?,?,Runtime Error!Program: ), ref: 0040658A
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065A2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065B3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004065C0

Strings

GetActiveWindow, xrefs: 004065AD
GetLastActivePopup, xrefs: 004065B5
MessageBoxA, xrefs: 0040659C
user32.dll, xrefs: 00406585

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 987b992b6f5bbeab899bec9017d6b859524fa9c80776c30a59c8d29f16b735e1
Instruction ID: 34c45dea863b0ad37b671b2ee6745cf1fa65c172ae9c71c573f5c1b511995102
Opcode Fuzzy Hash: 987b992b6f5bbeab899bec9017d6b859524fa9c80776c30a59c8d29f16b735e1
Instruction Fuzzy Hash: FA017571A40201FFCB209FB5BFC492B3AE99B58690306193FB541F2291DE79C815DB68

Function 00406857 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00408658,00000001,00000000,00000000,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 00406899
LCMapStringA.KERNEL32(00000000,00000100,00408654,00000001,00000000,00000000,?,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 004068B5
LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00406317,?,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 004068FE
MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00406317,00200020,00000000,?,00000000,00000000), ref: 00406936
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406317,00200020,00000000,?,00000000), ref: 0040698E
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406317,00200020,00000000,?,00000000), ref: 004069A4
LCMapStringW.KERNEL32(00000000,?,00406317,00000000,00406317,?,?,00406317,00200020,00000000,?,00000000), ref: 004069D7
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406317,00200020,00000000,?,00000000), ref: 00406A3F

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: e9f64dd7570e4df949ea1626fd4153753d4334a99172a5ae067b945d03b43c58
Instruction ID: 8dbeb6cb8c932cbdef2775d2a29e2de0fc7c35b208bd80b0a47b5516e3ba15ce
Opcode Fuzzy Hash: e9f64dd7570e4df949ea1626fd4153753d4334a99172a5ae067b945d03b43c58
Instruction Fuzzy Hash: 3E518A71500209EBCF219F94CD45AAF7BB5FB49714F12413AF912B12A0C73A8C21DB69

Function 0040425D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 004042CA
GetStdHandle.KERNEL32(000000F4,0040858C,00000000,?,00000000,00000000), ref: 004043A0
WriteFile.KERNEL32(00000000), ref: 004043A7

Strings

..., xrefs: 0040431C
<program name unknown>, xrefs: 004042DA
Microsoft Visual C++ Runtime Library, xrefs: 00404376
Runtime Error!Program: , xrefs: 00404330

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 4bb15c7821e3b7df3b39c29bb8507035fb8a1658cdd6742b24a8a426161d7798
Instruction ID: ad501088bf1d437e3d5a217a77e101a13ac7783d72fc0021c8d9dd27a33d1b06
Opcode Fuzzy Hash: 4bb15c7821e3b7df3b39c29bb8507035fb8a1658cdd6742b24a8a426161d7798
Instruction Fuzzy Hash: 52318772600218AFDF2096608E45FDA736DAF85304F1004BFF944B61D1EA789D458A5D

Function 02C615F0 Relevance: 10.6, APIs: 7, Instructions: 132COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100002,00000000,00000000,61F409A3), ref: 02C61690
CloseHandle.KERNEL32(00000000), ref: 02C616A5
ResetEvent.KERNEL32(00000000,61F409A3), ref: 02C616AF
CloseHandle.KERNEL32(00000000,61F409A3), ref: 02C616E4
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,61F409A3), ref: 02C6175A
CloseHandle.KERNEL32(00000000), ref: 02C6176F

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateOpenReset
String ID:
API String ID: 1285874450-0
Opcode ID: ffe5be806e88d250ddeb8e1301edda40e1d3e26db146ffb064872011c60715bb
Instruction ID: d93f52a139b6ab49f51de119e53bb19f5ae7803e1eaba370af86af000cf3db8e
Opcode Fuzzy Hash: ffe5be806e88d250ddeb8e1301edda40e1d3e26db146ffb064872011c60715bb
Instruction Fuzzy Hash: A3413F74D043599FDF20CFA5C888BADBBB8EF45725F184219E419EB380D7B09A05CB90

Function 02C52081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 02C520AC
SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02C520CD
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C520D8
InterlockedDecrement.KERNEL32(?), ref: 02C5213E
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02C5217A
InterlockedDecrement.KERNEL32(?), ref: 02C52187
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C521A6

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
String ID:
API String ID: 1171374749-0
Opcode ID: 3bcfaab6bd22c6d3741b63c0941065b6fff653bcd394ba06c5bee5d4d3e51a84
Instruction ID: b593ffdd8f6fae552115be34a92a67ab7c0c7119ca07876dd2a5d92c56f0ec37
Opcode Fuzzy Hash: 3bcfaab6bd22c6d3741b63c0941065b6fff653bcd394ba06c5bee5d4d3e51a84
Instruction Fuzzy Hash: 1A4129715047059FC311DF25D888A6BBBF9FFC8654F044A2EF89A82650D730E949CFA6

Function 02C61702 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02C61EB0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02C6170E,?,?), ref: 02C61EDF
Part of subcall function 02C61EB0: CloseHandle.KERNEL32(00000000,?,?,02C6170E,?,?), ref: 02C61EF4
Part of subcall function 02C61EB0: SetEvent.KERNEL32(00000000,02C6170E,?,?), ref: 02C61F07

OpenEventA.KERNEL32(00100002,00000000,00000000,61F409A3), ref: 02C61690
CloseHandle.KERNEL32(00000000), ref: 02C616A5
ResetEvent.KERNEL32(00000000,61F409A3), ref: 02C616AF
CloseHandle.KERNEL32(00000000,61F409A3), ref: 02C616E4
__CxxThrowException@8.LIBCMT ref: 02C61715

Part of subcall function 02C6453A: RaiseException.KERNEL32(?,?,02C5FB35,?,?,?,?,?,?,?,02C5FB35,?,02C80F98,?), ref: 02C6458F

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,61F409A3), ref: 02C6175A
CloseHandle.KERNEL32(00000000), ref: 02C6176F

Part of subcall function 02C61BF0: GetCurrentProcessId.KERNEL32(?), ref: 02C61C49

WaitForSingleObject.KERNEL32(00000000,000000FF,61F409A3), ref: 02C6177F

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
String ID:
API String ID: 2227236058-0
Opcode ID: 342e825ceb08056b1b1609051bd84629c10262edf324457f5d22d0627b231b42
Instruction ID: f34ac0404c4db5992e1c0ffdb4f9f85ef45b10da873fe570e353a96b8fdaa6ed
Opcode Fuzzy Hash: 342e825ceb08056b1b1609051bd84629c10262edf324457f5d22d0627b231b42
Instruction Fuzzy Hash: 1F314E75D043499BDF20DBA4DC88BBDB7B9AF45316F180229E91CEB380E7A09A058B51

Function 02C526DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 02C52706
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C5272B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C75B33), ref: 02C52738

Part of subcall function 02C51712: __EH_prolog.LIBCMT ref: 02C51717

SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02C52778
RtlLeaveCriticalSection.NTDLL(?), ref: 02C527D9

Strings

timer, xrefs: 02C52745

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID: timer
API String ID: 4293676635-1792073242
Opcode ID: f36e6321705021b0f2a2e7ae695b8eac165f70aff9cb415cd43d0610f487b0a6
Instruction ID: 49c2fdc4ed2cd6affe92eaf3c0e0451d459c437a7a7c868241f9ecb63ba8ea85
Opcode Fuzzy Hash: f36e6321705021b0f2a2e7ae695b8eac165f70aff9cb415cd43d0610f487b0a6
Instruction Fuzzy Hash: 0631A0B1904716AFD310DF25C984B26BBE8FB48764F004A2EFC5593680D770E958CF9A

Function 02C65D74 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 02C65D74

Part of subcall function 02C684E2: RtlEncodePointer.NTDLL(00000000), ref: 02C684E5
Part of subcall function 02C684E2: __initp_misc_winsig.LIBCMT ref: 02C68500
Part of subcall function 02C684E2: GetModuleHandleW.KERNEL32(kernel32.dll,?,02C81598,00000008,00000003,02C80F7C,?,00000001), ref: 02C69261
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02C69275
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02C69288
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02C6929B
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02C692AE
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02C692C1
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02C692D4
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02C692E7
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02C692FA
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02C6930D
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02C69320
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02C69333
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02C69346
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02C69359
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02C6936C
Part of subcall function 02C684E2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02C6937F

__mtinitlocks.LIBCMT ref: 02C65D79
__mtterm.LIBCMT ref: 02C65D82

Part of subcall function 02C65DEA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02C68918
Part of subcall function 02C65DEA: _free.LIBCMT ref: 02C6891F
Part of subcall function 02C65DEA: RtlDeleteCriticalSection.NTDLL(02C83978), ref: 02C68941

__calloc_crt.LIBCMT ref: 02C65DA7
__initptd.LIBCMT ref: 02C65DC9
GetCurrentThreadId.KERNEL32 ref: 02C65DD0

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: fa718b3bf6ef2b9507e2c22daa383cb77cf73e9d86bf630f62bd470b2dc59003
Instruction ID: 073934336ecde71ea5de646411a23264e19f23be9bf44e481b051221a729955f
Opcode Fuzzy Hash: fa718b3bf6ef2b9507e2c22daa383cb77cf73e9d86bf630f62bd470b2dc59003
Instruction Fuzzy Hash: 50F0BE326887125EE7387BB97DCD77A2B86DF01BB4B704B29E464D60C0FF3189066960

Function 02C634A1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 02C634BB
GetProcAddress.KERNEL32(00000000), ref: 02C634C2
RtlEncodePointer.NTDLL(00000000), ref: 02C634CE
RtlDecodePointer.NTDLL(00000001), ref: 02C634EB

Strings

RoInitialize, xrefs: 02C634AA
combase.dll, xrefs: 02C634B6

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 7b7338c70293f394623a737ab985aed18ddef4d9f13bfdc4d7ad38803c710f41
Instruction ID: 834d57285f52899d560b79fc850bf7a58ad14a2c801157d74f161d23b36646e8
Opcode Fuzzy Hash: 7b7338c70293f394623a737ab985aed18ddef4d9f13bfdc4d7ad38803c710f41
Instruction Fuzzy Hash: 42E01A70ED0384ABEB201F70EC4DB267B69A740B02F208B64F50AE5180CBB5516C9F58

Function 02C63576 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02C63490), ref: 02C63590
GetProcAddress.KERNEL32(00000000), ref: 02C63597
RtlEncodePointer.NTDLL(00000000), ref: 02C635A2
RtlDecodePointer.NTDLL(02C63490), ref: 02C635BD

Strings

RoUninitialize, xrefs: 02C6357F
combase.dll, xrefs: 02C6358B

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 37f7d85adc20eb86c5b3b15eff47df8a24afe78f278d58b245e06d46ad74a6f2
Instruction ID: 01f057c361cf86f19c2e5ee2f1f99f8871e1da8520aa57d2048617b6b7799606
Opcode Fuzzy Hash: 37f7d85adc20eb86c5b3b15eff47df8a24afe78f278d58b245e06d46ad74a6f2
Instruction Fuzzy Hash: F9E0B670DD0308ABEB505F60AD0DB167A69B740B05F208E64F606D6294DBB4562CDB98

Function 02C61F10 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(FFFFFFFF,61F409A3,?,?,?,?,00000000,02C76A98,000000FF,02C621AA), ref: 02C61F4A
TlsSetValue.KERNEL32(FFFFFFFF,02C621AA,?,?,00000000), ref: 02C61FB7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02C61FE1
HeapFree.KERNEL32(00000000), ref: 02C61FE4

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: HeapValue$FreeProcess
String ID:
API String ID: 1812714009-0
Opcode ID: 1c0605e5e7baab52d099bce56e62f6af7635879344d79720e5977678e66fdc32
Instruction ID: 39ee7d35810c657a1e2f8cf5b1ec43b3c83df80cd92816eb7654bbbcb6277b68
Opcode Fuzzy Hash: 1c0605e5e7baab52d099bce56e62f6af7635879344d79720e5977678e66fdc32
Instruction Fuzzy Hash: 0951AF319043489FDB20CF29C888B26BBE5FB88764F198659E859D7390D771ED04CBD2

Function 02C75660 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 02C75770
__FindPESection.LIBCMT ref: 02C7578A

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 4a463e3414fd91e485c44ec687a617f43b8f17af8b85faf10fd278c167bb27af
Instruction ID: a85dcd68d859e01a5e62cfc5a538a806931f88be6709e91ced6ec997c15fb78d
Opcode Fuzzy Hash: 4a463e3414fd91e485c44ec687a617f43b8f17af8b85faf10fd278c167bb27af
Instruction Fuzzy Hash: F1A1BD75E402158FDB21CF68C9807ADB7A5FF843A4FA48669DC15AB341E731ED02CBA1

Function 0040670E Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00408658,00000001,00000000,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 0040674D
GetStringTypeA.KERNEL32(00000000,00000001,00408654,00000001,?,?,00000000,00000000,00000001), ref: 00406767
GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 0040679B
MultiByteToWideChar.KERNEL32(00406317,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00406317,00200020,00000000,?,00000000,00000000,00000001), ref: 004067D3
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406829
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040683B

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 6d8eb81ee64157f72203894b93785b9b85560a11f4962ec6ebb452b13d20bf59
Instruction ID: 7abba187aa9a424c0dbe6a0d425d95b5373609879485ba3de4d3a8f21a169ece
Opcode Fuzzy Hash: 6d8eb81ee64157f72203894b93785b9b85560a11f4962ec6ebb452b13d20bf59
Instruction Fuzzy Hash: 11418D72901209EFCF209F94CD85EAF3B79FB04754F11453AF912F2290D73989608B99

Function 02C51C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C51CB1
CloseHandle.KERNEL32(?), ref: 02C51CBA
InterlockedExchangeAdd.KERNEL32(02C87274,00000000), ref: 02C51CC6
TerminateThread.KERNEL32(?,00000000), ref: 02C51CD4
QueueUserAPC.KERNEL32(02C51E7C,?,00000000), ref: 02C51CE1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C51CEC

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 1946104331-0
Opcode ID: fb6f05f2affb168f664ac3832b967af1536668d7100fc79c90b00fb1a8e64772
Instruction ID: 86189fe623418bad4a42a444d8695e2db3e05341b11132743f64ac3895d33681
Opcode Fuzzy Hash: fb6f05f2affb168f664ac3832b967af1536668d7100fc79c90b00fb1a8e64772
Instruction Fuzzy Hash: 8AF0A431540218BFDB105B96DD0DE57FFBCFB85720B00475DF52A82190DBB1A918CBA0

Function 02C52B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 02C52BE4
WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02C52C07

Part of subcall function 02C5A4DF: WSAGetLastError.WS2_32(00000000,?,?,02C52A51), ref: 02C5A4ED

WSASetLastError.WS2_32 ref: 02C52CD3
select.WS2_32(?,?,00000000,00000000,00000000), ref: 02C52CE7

Strings

3', xrefs: 02C52C85

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ErrorLast$Recvselect
String ID: 3'
API String ID: 886190287-280543908
Opcode ID: 9595f5b8c0d74952b68c0d6534820ed6736f3e43ecb4ffba6e6693b908b1ca05
Instruction ID: 32698544e314fb28003785301861cb5600a49486f658c50a86abee0fb7cddd3b
Opcode Fuzzy Hash: 9595f5b8c0d74952b68c0d6534820ed6736f3e43ecb4ffba6e6693b908b1ca05
Instruction Fuzzy Hash: 19418BB19443118FDB209F74C84876BBBE9BF94354F10091EEC9A93281EBB4D584CBA6

Function 00403EAC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00403ECB
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403F00
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F60

Strings

__MSVCRT_HEAP_SELECT, xrefs: 00403EFB
__GLOBAL_HEAP_SELECTED, xrefs: 00403F3A

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 24e6f3bd4125583b3bbf56e9767beae157ffe726f3734666c8e193c81b681956
Instruction ID: b9728f854654bad712525c43123df79641ae2587965f18a3091eb02ea7af310c
Opcode Fuzzy Hash: 24e6f3bd4125583b3bbf56e9767beae157ffe726f3734666c8e193c81b681956
Instruction Fuzzy Hash: 42312771D002896DEB319A309C45BDA7F7C9B12309F2400FBE545F52C2D6398F8A8718

Function 02C61910 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 02C6195F

Part of subcall function 02C624B3: std::exception::_Copy_str.LIBCMT ref: 02C624CC

Part of subcall function 02C60D30: __CxxThrowException@8.LIBCMT ref: 02C60D8E

std::exception::exception.LIBCMT ref: 02C619BE

Strings

boost unique_lock has no mutex, xrefs: 02C6194E
$, xrefs: 02C619C3
boost unique_lock owns already the mutex, xrefs: 02C619AD

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
API String ID: 2140441600-46888669
Opcode ID: e6980dd77f8f02020e449b1b8f686d8b25294c161d8b17d871434321466c710e
Instruction ID: 2294f82c561ee134ad7fb436f9982af39b080f97e0e667fa9dfa0ff8096d44af
Opcode Fuzzy Hash: e6980dd77f8f02020e449b1b8f686d8b25294c161d8b17d871434321466c710e
Instruction Fuzzy Hash: 902128B15083809FD720DF25C588B6BBBE5BB88B08F404E5DF5A587380D7B59408DF92

Function 02C64A5C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 02C64A60

Part of subcall function 02C65C52: GetLastError.KERNEL32(76230A60,7622F550,02C65E40,02C63013,7622F550,?,02C5606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,02C56508), ref: 02C65C54
Part of subcall function 02C65C52: __calloc_crt.LIBCMT ref: 02C65C75
Part of subcall function 02C65C52: __initptd.LIBCMT ref: 02C65C97
Part of subcall function 02C65C52: GetCurrentThreadId.KERNEL32 ref: 02C65C9E
Part of subcall function 02C65C52: SetLastError.KERNEL32(00000000,02C5606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,02C56508), ref: 02C65CB6

__calloc_crt.LIBCMT ref: 02C64A83
__get_sys_err_msg.LIBCMT ref: 02C64AA1
__invoke_watson.LIBCMT ref: 02C64ABE

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02C64A6B, 02C64A91

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 109275364-798102604
Opcode ID: a6a67b45e3332387c163675d2576b944090a52fbfe578201e76913048c3275c7
Instruction ID: 3ef437781216fd86b3e0fe19fc460681930fd498abf2e5b7fedc5ad1cdbf030c
Opcode Fuzzy Hash: a6a67b45e3332387c163675d2576b944090a52fbfe578201e76913048c3275c7
Instruction Fuzzy Hash: 3BF0E972680B157BEB39A5565CC8A7B72CEDF80AA0B000626FE49D6202E733DD007698

Function 02C52341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 02C52350
InterlockedExchange.KERNEL32(?,00000001), ref: 02C52360
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C52370
GetLastError.KERNEL32 ref: 02C5237A

Part of subcall function 02C51712: __EH_prolog.LIBCMT ref: 02C51717

Strings

pqcs, xrefs: 02C52388

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
String ID: pqcs
API String ID: 1619523792-2559862021
Opcode ID: 36673725168f5cbaac317d20719ca3adb70febbe5a4fc653cb1934cb8154a5d2
Instruction ID: 88bd94696b5151553edc0e844f41810f4d4c40fd9a2f0da5bac9732a9f70a317
Opcode Fuzzy Hash: 36673725168f5cbaac317d20719ca3adb70febbe5a4fc653cb1934cb8154a5d2
Instruction Fuzzy Hash: 2CF0F471980319AFDB20AF749C49FABBBECFB44601F004669ED09D3140E771DA589B91

Function 02C54030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C54035
GetProcessHeap.KERNEL32(00000000,?), ref: 02C54042
RtlAllocateHeap.NTDLL(00000000), ref: 02C54049
std::exception::exception.LIBCMT ref: 02C54063

Part of subcall function 02C5A6A0: __EH_prolog.LIBCMT ref: 02C5A6A5
Part of subcall function 02C5A6A0: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C5A6B4
Part of subcall function 02C5A6A0: __CxxThrowException@8.LIBCMT ref: 02C5A6D3

Strings

bad allocation, xrefs: 02C54058

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
String ID: bad allocation
API String ID: 3112922283-2104205924
Opcode ID: d3b3c5c0fa181451f176517fb720c0f2294a31563e0b1a87ce4354c24c352818
Instruction ID: e08cf954a3a44c66f016115aa01709514920f243b38d358be674c4593ed6ec43
Opcode Fuzzy Hash: d3b3c5c0fa181451f176517fb720c0f2294a31563e0b1a87ce4354c24c352818
Instruction Fuzzy Hash: DEF08CB1E4020DEBCB00EFE0C808BBFBB78FB08740F404A89E914A2640DB7482188F95

Function 00403CD4 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00403D2D
GetFileType.KERNEL32(00000800), ref: 00403DD3
GetStdHandle.KERNEL32(-000000F6), ref: 00403E2C
GetFileType.KERNEL32(00000000), ref: 00403E3A
SetHandleCount.KERNEL32 ref: 00403E71

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
Instruction ID: 0b7b95883a4e689196e32d1b42849a04f4efe08137134e81777c7f486c9ce5ca
Opcode Fuzzy Hash: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
Instruction Fuzzy Hash: 025125716046458BD7218F38CE847667FA8AF11722F15437AE4A2FB3E0C7389A45CB8D

Function 02C61C60 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C61A30: CloseHandle.KERNEL32(00000000,61F409A3), ref: 02C61A81
Part of subcall function 02C61A30: WaitForSingleObject.KERNEL32(?,000000FF,61F409A3,?,?,?,?,61F409A3,02C61A03,61F409A3), ref: 02C61A98

ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C61CFE
ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C61D1E
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02C61D57
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02C61DAB
SetEvent.KERNEL32(?), ref: 02C61DB2

Part of subcall function 02C5418C: CloseHandle.KERNEL32(00000000,?,02C61CE5), ref: 02C541B0

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
String ID:
API String ID: 4166353394-0
Opcode ID: 2069b74d0441876eb478d30c24cf4e1d8f65310bdd2de51b8d116a378a9e8cb5
Instruction ID: db518876412a981dcfe6aff029e433c80901724b63af721a9d538a4924bf67a1
Opcode Fuzzy Hash: 2069b74d0441876eb478d30c24cf4e1d8f65310bdd2de51b8d116a378a9e8cb5
Instruction Fuzzy Hash: 254110706003028BDB268F28CCC8B6BB7A4EF85725F1807A8EC19DB381C734D9058BD5

Function 02C5207C Relevance: 7.6, APIs: 5, Instructions: 97timeCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 02C520AC
SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02C520CD
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C520D8
InterlockedDecrement.KERNEL32(?), ref: 02C5213E
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C521A6

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$DecrementTimerWaitable
String ID:
API String ID: 1611172436-0
Opcode ID: 054af25a337461c35e8b61da56db8aab63cec08b16d4d4eec32d9d8c048028bc
Instruction ID: 046fc7623c43ce8dff45a6080ec50ee1f4875cf725a4453a4e0a8c0244de1f31
Opcode Fuzzy Hash: 054af25a337461c35e8b61da56db8aab63cec08b16d4d4eec32d9d8c048028bc
Instruction Fuzzy Hash: 35317A72504705AFC315DF25C884A6BBBF9FFC8664F140A2EE89683650D730E989CF96

Function 02C5E0CE Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C5E0D3

Part of subcall function 02C51A01: TlsGetValue.KERNEL32 ref: 02C51A0A

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C5E152
RtlEnterCriticalSection.NTDLL(?), ref: 02C5E16E
InterlockedIncrement.KERNEL32(02C85190), ref: 02C5E193
RtlLeaveCriticalSection.NTDLL(?), ref: 02C5E1A8

Part of subcall function 02C527F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02C5284E

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
String ID:
API String ID: 1578506061-0
Opcode ID: 8e0379bd9d8dad075e8145912bfb8bd0fb597156104f810a1f226c26a4a16310
Instruction ID: c34db493c8cb269754148b5f81c2c0ec9bf6ae89e416b7b978136b762e9ff4fc
Opcode Fuzzy Hash: 8e0379bd9d8dad075e8145912bfb8bd0fb597156104f810a1f226c26a4a16310
Instruction Fuzzy Hash: E33147B1D012189FCB10DFA9C944AAEBBF8FF48310F14855EE849E7641E774A648CFA4

Function 02C529EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 02C52A3B
closesocket.WS2_32 ref: 02C52A42
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02C52A89
WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02C52A97
closesocket.WS2_32 ref: 02C52A9E

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocket$ioctlsocket
String ID:
API String ID: 1561005644-0
Opcode ID: c04cc0ffe859059310e0ece4ecf0d620c59b0c2a9b48858a396178b83b09b668
Instruction ID: cff83cf8632e5d7fd18c915a9862c415674a47ac31bcdfb0486ee7231538a385
Opcode Fuzzy Hash: c04cc0ffe859059310e0ece4ecf0d620c59b0c2a9b48858a396178b83b09b668
Instruction Fuzzy Hash: 1E216D71E40219AFDB30ABB8C848B6AB3E9EF84315F11466DFD15D3141EB70CA84CB61

Function 02C51BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C51BAC
RtlEnterCriticalSection.NTDLL ref: 02C51BBC
RtlLeaveCriticalSection.NTDLL ref: 02C51BEA
RtlEnterCriticalSection.NTDLL ref: 02C51C13
RtlLeaveCriticalSection.NTDLL ref: 02C51C56

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 7738b878b81a61a86694f89d085e429cef52fdad1cde6b47b712c6b22f04d951
Instruction ID: 72730c14fe00f16cad94f6326e755f5cd0c545be92ec7798218bb592e8a7cf91
Opcode Fuzzy Hash: 7738b878b81a61a86694f89d085e429cef52fdad1cde6b47b712c6b22f04d951
Instruction Fuzzy Hash: 9921D1B5900614DFCB14CF68C44879ABBB5FF88714F158589EC5997301D7B1EA45CBE0

Function 02C70384 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C70390

Part of subcall function 02C62F8C: __FF_MSGBANNER.LIBCMT ref: 02C62FA3
Part of subcall function 02C62F8C: __NMSG_WRITE.LIBCMT ref: 02C62FAA
Part of subcall function 02C62F8C: RtlAllocateHeap.NTDLL(00680000,00000000,00000001), ref: 02C62FCF

_free.LIBCMT ref: 02C703A3

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 126a5b5b2116a91694497450ae1d2c07d9554479e0ebfa3f1f652a7d02957eea
Instruction ID: f9bee1a801ec1dc9ff014e83b65e00ce0f9c84e5f52af5fd02d52b55fe770ea3
Opcode Fuzzy Hash: 126a5b5b2116a91694497450ae1d2c07d9554479e0ebfa3f1f652a7d02957eea
Instruction Fuzzy Hash: 83112972848B15AFCF212FB0ACCC76A3B99AF443A0F204625F90E9A140DB348555DBD1

Function 02C521D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C521DA
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C521ED
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02C52224
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02C52237
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C52261

Part of subcall function 02C52341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C52350
Part of subcall function 02C52341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C52360
Part of subcall function 02C52341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C52370
Part of subcall function 02C52341: GetLastError.KERNEL32 ref: 02C5237A

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 1856819132-0
Opcode ID: 0f00de53dc5eb15a810916e477a3c557ae814f2678b073b28e61d527656b29c5
Instruction ID: e8a4f4ae63bf735423e7fd08837c4b57d7cd6bbeeab55ee356af62ed2b87c888
Opcode Fuzzy Hash: 0f00de53dc5eb15a810916e477a3c557ae814f2678b073b28e61d527656b29c5
Instruction Fuzzy Hash: C5118475D40129EBCB019FA4DC446BEFBBAFF44320F10462AEC1592160D7718695DBD6

Function 02C52298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C5229D
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C522B0
TlsGetValue.KERNEL32 ref: 02C522E7
TlsSetValue.KERNEL32(?), ref: 02C52300
TlsSetValue.KERNEL32(?,?,?), ref: 02C5231C

Part of subcall function 02C52341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C52350
Part of subcall function 02C52341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C52360
Part of subcall function 02C52341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C52370
Part of subcall function 02C52341: GetLastError.KERNEL32 ref: 02C5237A

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 1856819132-0
Opcode ID: 3320c9dcac234bc26372b70a45a8ef13543cfd5556af63a24c3387f54f2b897e
Instruction ID: 4907f664179207da11067f587678334e482566443b28d6af9026dd7fd8e0e1a4
Opcode Fuzzy Hash: 3320c9dcac234bc26372b70a45a8ef13543cfd5556af63a24c3387f54f2b897e
Instruction Fuzzy Hash: E4115E75D40129EBCB019FA5D844AAEFBBAFF44310F10462AEC04A3250D7718A95DFD1

Function 02C5BCE8 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02C5B13B: __EH_prolog.LIBCMT ref: 02C5B140

__CxxThrowException@8.LIBCMT ref: 02C5BD05

Part of subcall function 02C6453A: RaiseException.KERNEL32(?,?,02C5FB35,?,?,?,?,?,?,?,02C5FB35,?,02C80F98,?), ref: 02C6458F

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02C81DB4,?,00000001), ref: 02C5BD1B
InterlockedExchange.KERNEL32(?,00000001), ref: 02C5BD2E
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02C81DB4,?,00000001), ref: 02C5BD3E
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C5BD4C

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
String ID:
API String ID: 2725315915-0
Opcode ID: 75d6eabd9357150cdba178f46222df923da4a0f59e9f898a3d31ab7a60aadfbb
Instruction ID: 2b723f046018da4b82375087da7548e6722d270bde9756938ef9c4bfe9a8577b
Opcode Fuzzy Hash: 75d6eabd9357150cdba178f46222df923da4a0f59e9f898a3d31ab7a60aadfbb
Instruction Fuzzy Hash: 1401D672A002186FDF10DBA0DC88F96BBADAB04318F004514FA15D7180E7A0EC488B50

Function 02C52420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C52432
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C52445
RtlEnterCriticalSection.NTDLL(?), ref: 02C52454
InterlockedExchange.KERNEL32(?,00000001), ref: 02C52469
RtlLeaveCriticalSection.NTDLL(?), ref: 02C52470

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
String ID:
API String ID: 747265849-0
Opcode ID: 5e2568335c9d57d8ae029b85702631e7ba74e3631d1069f520ee0767c94f515c
Instruction ID: 0c95c663550a0fc3e799f10261daf645bf28e85504c41315ea1df1a99315332e
Opcode Fuzzy Hash: 5e2568335c9d57d8ae029b85702631e7ba74e3631d1069f520ee0767c94f515c
Instruction Fuzzy Hash: 36F09072640218BFD7009BA0ED49FD6B72CFB44701F800411FB01D6080D760E969CBE5

Function 02C51EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 02C51ED2
PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02C51EEA
RtlEnterCriticalSection.NTDLL(?), ref: 02C51EF9
InterlockedExchange.KERNEL32(?,00000001), ref: 02C51F0E
RtlLeaveCriticalSection.NTDLL(?), ref: 02C51F15

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
String ID:
API String ID: 830998967-0
Opcode ID: ef017757abb7060f4ceee11445d035f5b4982e7886846342c1f6938dca1810f9
Instruction ID: a8ae7299db363fc3e9d10251d4f6f41e3de4397af9caf6a8f7d4f98b126b3414
Opcode Fuzzy Hash: ef017757abb7060f4ceee11445d035f5b4982e7886846342c1f6938dca1810f9
Instruction Fuzzy Hash: B8F01772641619BFDB00AFA1ED88FD6BB2CFF44355F000516F60196440DBA1AA6D8BE0

Function 02C58725 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 02C5878D
_memmove.LIBCMT ref: 02C5883B

Strings

string too long, xrefs: 02C587C0, 02C58862
invalid string position, xrefs: 02C587B6

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 6e957f3ea36ca7733ce867bc4062d80805c753b16bd0cfa6fe09d7273e44caac
Instruction ID: b2644d761e9cfd1141ca86d229fb7b790cfbb81c02dd4642b0aa0a03e9887b2e
Opcode Fuzzy Hash: 6e957f3ea36ca7733ce867bc4062d80805c753b16bd0cfa6fe09d7273e44caac
Instruction Fuzzy Hash: CA41C8317003249BD7349E69DC84E66BBAAEF81758B000A2DFD56C7281C770E9C4CBA8

Function 02C530AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 02C530C3
WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02C53102
_memcmp.LIBCMT ref: 02C53141

Strings

255.255.255.255, xrefs: 02C53139

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: AddressErrorLastString_memcmp
String ID: 255.255.255.255
API String ID: 1618111833-2422070025
Opcode ID: 118a2f6b24345c0be7d5b3f8cdf15fd1c37bfed9860c107250855ce2d35a1e9f
Instruction ID: 191f4ae54d6c134fd31d062dcd68a15ae45b1dc65ea3050429823a5b874297af
Opcode Fuzzy Hash: 118a2f6b24345c0be7d5b3f8cdf15fd1c37bfed9860c107250855ce2d35a1e9f
Instruction Fuzzy Hash: 2C31E4719003549FDB209F74CC84B6FB7A5BF813A4F1045A9EC5697280DB72D9818B94

Function 02C51F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C51F5B
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02C51FC5
GetLastError.KERNEL32(?,00000000), ref: 02C51FD2

Part of subcall function 02C51712: __EH_prolog.LIBCMT ref: 02C51717

Strings

iocp, xrefs: 02C51FE0

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog$CompletionCreateErrorLastPort
String ID: iocp
API String ID: 998023749-976528080
Opcode ID: bd11ddf2312009e0f75fc194dce609c596b385554f64982a9040108a6e97a741
Instruction ID: 96f452482ee38566dc372fabbf3fc027c9217f601de77bf5fc26d1f83ba5463e
Opcode Fuzzy Hash: bd11ddf2312009e0f75fc194dce609c596b385554f64982a9040108a6e97a741
Instruction Fuzzy Hash: 5E21E5B1801B449FC720DF6AC54455BFBF8FF94720B108A1FE8A683A60D7B0A644CF95

Function 02C63B2C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C63B44

Part of subcall function 02C62F8C: __FF_MSGBANNER.LIBCMT ref: 02C62FA3
Part of subcall function 02C62F8C: __NMSG_WRITE.LIBCMT ref: 02C62FAA
Part of subcall function 02C62F8C: RtlAllocateHeap.NTDLL(00680000,00000000,00000001), ref: 02C62FCF

std::exception::exception.LIBCMT ref: 02C63B62
__CxxThrowException@8.LIBCMT ref: 02C63B77

Part of subcall function 02C6453A: RaiseException.KERNEL32(?,?,02C5FB35,?,?,?,?,?,?,?,02C5FB35,?,02C80F98,?), ref: 02C6458F

Strings

bad allocation, xrefs: 02C63B57

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: 632036ef0b84801305f4c1b5cd5ce9c7e1a51e0ddf67a9a06df2c79656f834b1
Instruction ID: c97a8d323599ba5a79028588cb205bd279c028281da0531c09ec5710d0b8bfea
Opcode Fuzzy Hash: 632036ef0b84801305f4c1b5cd5ce9c7e1a51e0ddf67a9a06df2c79656f834b1
Instruction Fuzzy Hash: B8E0E57090024FAADF10FE90CC8D9BFBB79AF00714F4046A5DD0067590DB318B05EAE2

Function 02C537B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C537B6
__localtime64.LIBCMT ref: 02C537C1

Part of subcall function 02C625E0: __gmtime64_s.LIBCMT ref: 02C625F3

std::exception::exception.LIBCMT ref: 02C537D9

Part of subcall function 02C624B3: std::exception::_Copy_str.LIBCMT ref: 02C624CC

Part of subcall function 02C5A4FE: __EH_prolog.LIBCMT ref: 02C5A503
Part of subcall function 02C5A4FE: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C5A512
Part of subcall function 02C5A4FE: __CxxThrowException@8.LIBCMT ref: 02C5A531

Strings

could not convert calendar time to UTC time, xrefs: 02C537CE

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
String ID: could not convert calendar time to UTC time
API String ID: 1963798777-2088861013
Opcode ID: fb6264ca9b4f72f2f1ed9b1fbd447188285da35adba7019e284411e2dea09586
Instruction ID: 9248fa27c3a08de6ba4951a3ae7ad5f779c01b2a94cbe72550b283e76a8bed10
Opcode Fuzzy Hash: fb6264ca9b4f72f2f1ed9b1fbd447188285da35adba7019e284411e2dea09586
Instruction Fuzzy Hash: 67E06DB1D002099BCB10EFA4D9497FEB779EF04340F40859ADC15A2640EB349605DE85

Function 0040315A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00402E6A), ref: 0040315F
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040316F

Strings

IsProcessorFeaturePresent, xrefs: 00403169
KERNEL32, xrefs: 0040315A

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: ee4fb49231880130fc7adb82ded6e302562b2849836945389797dfa68bab57f4
Instruction ID: 396ae008ee37b43aaac66eedf252cb0d6854bca9fd0baad0eaa83bc1c4717f20
Opcode Fuzzy Hash: ee4fb49231880130fc7adb82ded6e302562b2849836945389797dfa68bab57f4
Instruction Fuzzy Hash: 14C01270380B00A6EA201FB20F0AB2628AC1B48B03F1800BEA289F81C0CE7CC600843D

Function 00404C1C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0040403A), ref: 00404C3D
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0040403A), ref: 00404C61
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0040403A), ref: 00404C7B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0040403A), ref: 00404D3C
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0040403A), ref: 00404D53

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
Instruction ID: 583ec5426b209604bff2a02b3d2478297b9ba55a468d27544d52312baf66a8bd
Opcode Fuzzy Hash: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
Instruction Fuzzy Hash: BC31E2B15417019BE3348F24EE44B22B7A0EBC8754F11863AE665B73E1EB78A844CB5C

Function 0040443E Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00008000,00004000,7622DFF0,?,00000000), ref: 00404696
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004046F1
HeapFree.KERNEL32(00000000,?), ref: 00404703

Strings

4/@, xrefs: 0040443E

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Free$Virtual$Heap
String ID: 4/@
API String ID: 2016334554-3101945251
Opcode ID: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
Instruction ID: 876bcf6037267374920b0e9be09a40bf20dde446c7cba65ee9efa19dd1b870bf
Opcode Fuzzy Hash: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
Instruction Fuzzy Hash: 4AB18EB4A01205DFDB14CF44CAD0A69BBA1FB88314F25C1AEDA596F3A2D735ED41CB84

Function 02C6C3C9 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 02C6C45A
_memmove.LIBCMT ref: 02C6C4CE
___AdjustPointer.LIBCMT ref: 02C6C51F
_memmove.LIBCMT ref: 02C6C528

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: 0dbcd0d55cb225470a06e58726e3168864991c01a43697ba3d36daa94128b923
Instruction ID: 95640590fbfa7e5d0b4862b34c50a4f7aa41994b27373917cd3141cf459b7391
Opcode Fuzzy Hash: 0dbcd0d55cb225470a06e58726e3168864991c01a43697ba3d36daa94128b923
Instruction Fuzzy Hash: 414185752043035EEB28DE26DCCCB7A33E59F81B68F28001FE885865E1EB71D780EA10

Function 02C61300 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02C54149), ref: 02C6139F

Part of subcall function 02C53FDC: __EH_prolog.LIBCMT ref: 02C53FE1
Part of subcall function 02C53FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02C53FF3

CloseHandle.KERNEL32(00000000), ref: 02C61394
CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02C54149), ref: 02C613E0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02C54149), ref: 02C614B1

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CloseHandle$Event$CreateH_prolog
String ID:
API String ID: 2825413587-0
Opcode ID: 3ed4e363e0188a57c36c47827b83b261051402a0070d1a1d9dbb595ba6e5f742
Instruction ID: 77c463c7ae0b77214c78c920e5c9fe4702fd498454ae52cad20f1ed6390656ab
Opcode Fuzzy Hash: 3ed4e363e0188a57c36c47827b83b261051402a0070d1a1d9dbb595ba6e5f742
Instruction Fuzzy Hash: AA51B0B16003459BDF11DF28C8C87AAB7E4BF88329F1D4628E86E97390D775DA05CB91

Function 02C6378D Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 02C63823
__flush.LIBCMT ref: 02C63843
__write.LIBCMT ref: 02C63876
__flsbuf.LIBCMT ref: 02C638A4

Part of subcall function 02C65E3B: __getptd_noexit.LIBCMT ref: 02C65E3B

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 41e168db359cd1c9f07d59c3f71d26477c26a2a79f102e3ff21314e00bb1a24e
Instruction ID: 350b1e254b8393c7ed694b51d7bf202854e7cf9533cd4d39df584f23c2daf614
Opcode Fuzzy Hash: 41e168db359cd1c9f07d59c3f71d26477c26a2a79f102e3ff21314e00bb1a24e
Instruction Fuzzy Hash: 03419571B00686ABDF188FA9C8D85BE77B6EFC8B64B1481BEE405C7280D771DA418B50

Function 02C6FEF5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C6FF2B
__isleadbyte_l.LIBCMT ref: 02C6FF59
MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02C6FF87
MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02C6FFBD

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: bd3c43c0ff39c05e0735231d732e05e2c16c58747fe9fbe1791d19b9dacbc866
Instruction ID: d1f75407471473f77f9ed875bf573ed901a7308baa512788a450b7373166ac9c
Opcode Fuzzy Hash: bd3c43c0ff39c05e0735231d732e05e2c16c58747fe9fbe1791d19b9dacbc866
Instruction Fuzzy Hash: 1931D031600246AFDB21CE75E888BBA7BE9FF82324F15402DF86687590D732D951DB92

Function 02C53D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 02C53DA2

Part of subcall function 02C53BD3: __EH_prolog.LIBCMT ref: 02C53BD8
Part of subcall function 02C53BD3: std::bad_exception::bad_exception.LIBCMT ref: 02C53BED

htonl.WS2_32(00000000), ref: 02C53DB9
htonl.WS2_32(00000000), ref: 02C53DC0
htons.WS2_32(?), ref: 02C53DD4

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
String ID:
API String ID: 3882411702-0
Opcode ID: cf48a04b6ba34524857db92306b7d8d74f12c4b90050613d5b322ba9eea78bf1
Instruction ID: cabbf2cb6b0ce0c39ce60c53de0afd227c451c439105845b0eff8f4709320a05
Opcode Fuzzy Hash: cf48a04b6ba34524857db92306b7d8d74f12c4b90050613d5b322ba9eea78bf1
Instruction Fuzzy Hash: B211A535910259EFCF019F64D885A5AB7B9FF49310F0084A6FC08DF205D771DA58CBA5

Function 02C5239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02C523D0
RtlEnterCriticalSection.NTDLL(?), ref: 02C523DE
InterlockedExchange.KERNEL32(?,00000001), ref: 02C52401
RtlLeaveCriticalSection.NTDLL(?), ref: 02C52408

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
String ID:
API String ID: 4018804020-0
Opcode ID: ab755b98675634825d273d41e945b000ae2a2233ee41b3e88b4e21e1c5914574
Instruction ID: 16f98dbea8b9223bd0ce98e9aa5a1247330b85c38593b607bfd7329ea2ab8ab4
Opcode Fuzzy Hash: ab755b98675634825d273d41e945b000ae2a2233ee41b3e88b4e21e1c5914574
Instruction Fuzzy Hash: 8D118E71600319AFDB109F61D984B66BBB9FF44705F10446DFD019B140D7B1E999CBA1

Function 02C52EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 02C52EEE
WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02C52EFD
WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02C52F0C
setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02C52F36

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ErrorLast$Socketsetsockopt
String ID:
API String ID: 2093263913-0
Opcode ID: 638362807433820bb7d854c9af23988937425d8c995874b6e69d958336ca9eb9
Instruction ID: 3a1a524bfc6ce954ad51ec7702f179d0e167f99a1c418c633ee85691df3c05b9
Opcode Fuzzy Hash: 638362807433820bb7d854c9af23988937425d8c995874b6e69d958336ca9eb9
Instruction Fuzzy Hash: F1018871940218FBDB205F65DC88F5ABBA9EB89761F008665FE18DB181D771C9048BB1

Function 02C6C81B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 02C6C83F

Part of subcall function 02C6CF26: __fltout2.LIBCMT ref: 02C6CF4F

__cftog_l.LIBCMT ref: 02C6C865
__cftoe_l.LIBCMT ref: 02C6C897

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a43ccbb8041f3e1a07305b9521a407cf26a26a7b78cf6523eef03c73742c0961
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: BD014E3200014ABBCF266E85DC898EE3F36BF5C354B488416FA9959031C337C6B1AB81

Function 02C5247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C524A9
RtlEnterCriticalSection.NTDLL(?), ref: 02C524B8
InterlockedExchange.KERNEL32(?,00000001), ref: 02C524CD
RtlLeaveCriticalSection.NTDLL(?), ref: 02C524D4

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
String ID:
API String ID: 4018804020-0
Opcode ID: 01d032d7b73497c3b481900fa073870f3f2c159bdfa40d2b20ef631130a28ea6
Instruction ID: 45790e3318b06e64f2e9cbc2b206bf0205642d11bf8201db3e846e102746ed97
Opcode Fuzzy Hash: 01d032d7b73497c3b481900fa073870f3f2c159bdfa40d2b20ef631130a28ea6
Instruction Fuzzy Hash: AEF03C72540209AFDB009F69EC88F9ABBACFF48710F004519FA05DA141D7B1E5688FE1

Function 02C52004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C52009
RtlDeleteCriticalSection.NTDLL(?), ref: 02C52028
CloseHandle.KERNEL32(00000000), ref: 02C52037
CloseHandle.KERNEL32(00000000), ref: 02C5204E

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: CloseHandle$CriticalDeleteH_prologSection
String ID:
API String ID: 2456309408-0
Opcode ID: 46357b4adb98b2c5ef57bdb9e1f8733238bcc8e7cebdbed1e9c56d106455e5d4
Instruction ID: 574c05d9e582f7a9f566b5ce6d939143824004fe310e06ffab0f8da3a2a35967
Opcode Fuzzy Hash: 46357b4adb98b2c5ef57bdb9e1f8733238bcc8e7cebdbed1e9c56d106455e5d4
Instruction Fuzzy Hash: 9E01D1714017149FC324AF54E908BAAF7F5FF04704F004A5DEC4682590C7B0A68CCF95

Function 02C51E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C51E2B
SetEvent.KERNEL32(00000000), ref: 02C51E3F
SetEvent.KERNEL32(?), ref: 02C51E58
SleepEx.KERNEL32(000000FF,00000001), ref: 02C51E62

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Event$H_prologSleep
String ID:
API String ID: 1765829285-0
Opcode ID: 2b429b8ec1459e3353b8c1a23a2941c312aac3e3ac31fdf18f85fb1b66349861
Instruction ID: 1ab91deb25d4e0f66c8323fa7fe37b4bac2bf48606823ff4bb5d8ede539732e0
Opcode Fuzzy Hash: 2b429b8ec1459e3353b8c1a23a2941c312aac3e3ac31fdf18f85fb1b66349861
Instruction Fuzzy Hash: E8F05435640114DFCB009FA4D8C9B98BBB4FF0D311F5082A9F919DB290C7759858CB91

Function 02C59F2B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C59F30
_memmove.LIBCMT ref: 02C5A02A

Strings

&', xrefs: 02C5A011

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog_memmove
String ID: &'
API String ID: 3529519853-655172784
Opcode ID: 1f1eda4bf00c10f87f60c5f3af2bbcbf81e31dab4fad590ec54c77b18d52158c
Instruction ID: 23eb26f4902fce1adc56c2ccc383f7a90fa503f5fbd8842126ad9a9f42e8f930
Opcode Fuzzy Hash: 1f1eda4bf00c10f87f60c5f3af2bbcbf81e31dab4fad590ec54c77b18d52158c
Instruction Fuzzy Hash: FF619071D00229DFCF20DFA5C940AEEFBB6AF88310F10425AD909AB140D771DA85DFA5

Function 0040602F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00406043

Strings

, xrefs: 00406068
, xrefs: 0040608C

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
Instruction ID: a42b242f0737112a64efb8245030e7df3adc9bcb2e8c8469847d94988edb9e3f
Opcode Fuzzy Hash: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
Instruction Fuzzy Hash: 7B413731004158AEEB119754DD89BFB3FE9DB06700F1501F6D58BFB1D3C23949648BAA

Function 02C52DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON

Download Yara Rule

APIs

Part of subcall function 02C52D39: WSASetLastError.WS2_32(00000000), ref: 02C52D47
Part of subcall function 02C52D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02C52D5C

WSASetLastError.WS2_32(00000000), ref: 02C52E6D
select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02C52E83

Strings

3', xrefs: 02C52E22

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ErrorLast$Sendselect
String ID: 3'
API String ID: 2958345159-280543908
Opcode ID: 20a378f614caba619b7ac7b8eef904e34ed19b3c26a673f69faae8baa5b5c3e7
Instruction ID: 49e2572bc3a1d7388344af6a2d4cb15cabb01549f4ef428ef6ce6374bacd1bf1
Opcode Fuzzy Hash: 20a378f614caba619b7ac7b8eef904e34ed19b3c26a673f69faae8baa5b5c3e7
Instruction Fuzzy Hash: A031DEB1A002299FDF10DFA4C848BEE7BEAAF44354F00455ADC0593280E7B5D5C5DFA5

Function 02C5963F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02C583A9,?,?,00000000), ref: 02C596A6
getsockname.WS2_32(?,?,?), ref: 02C596BC

Strings

&', xrefs: 02C596EF

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ErrorLastgetsockname
String ID: &'
API String ID: 566540725-655172784
Opcode ID: d76e9d0befba4cf36eda1dcf0f2f2ed4f258e9fda91b7d3a958a957696aa1fa1
Instruction ID: 1bc8426b51402e322124ab976681a7184e825e97cd370293e745d9cffe5f31e9
Opcode Fuzzy Hash: d76e9d0befba4cf36eda1dcf0f2f2ed4f258e9fda91b7d3a958a957696aa1fa1
Instruction Fuzzy Hash: 0D218172A40248DBDB10DF68D844ADEB7F5FF48314F10816AED19EB281DB30E9458B94

Function 02C5CC85 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C5CC8A

Part of subcall function 02C5D266: std::exception::exception.LIBCMT ref: 02C5D295

Part of subcall function 02C5DA1C: __EH_prolog.LIBCMT ref: 02C5DA21

Part of subcall function 02C63B2C: _malloc.LIBCMT ref: 02C63B44

Part of subcall function 02C5D2C5: __EH_prolog.LIBCMT ref: 02C5D2CA

Strings

class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02C5CCC0
C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C5CCC7

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
API String ID: 1953324306-1943798000
Opcode ID: 3a7432f4748516d7dcfe598724816bdf6341f65ca6e17546cda4cd3095a26c14
Instruction ID: d40830637e72660bb71cb16ad878c7646d862e4f42ae3030dcf23588165b488e
Opcode Fuzzy Hash: 3a7432f4748516d7dcfe598724816bdf6341f65ca6e17546cda4cd3095a26c14
Instruction Fuzzy Hash: 5521D0B0E002A8DBDB08EFE8D844BAEBBB5EF54700F14455DEC06AB240DB709A84DF55

Function 02C5CD7A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C5CD7F

Part of subcall function 02C5D33D: std::exception::exception.LIBCMT ref: 02C5D36A

Part of subcall function 02C5DB53: __EH_prolog.LIBCMT ref: 02C5DB58

Part of subcall function 02C63B2C: _malloc.LIBCMT ref: 02C63B44

Part of subcall function 02C5D39A: __EH_prolog.LIBCMT ref: 02C5D39F

Strings

class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02C5CDB5
C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C5CDBC

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
API String ID: 1953324306-412195191
Opcode ID: 1faa22bac04b8ae0de1e7abfe816db434c11d6508cf4f604316aa8c4326f330c
Instruction ID: f9ea33869610194a3e3f5999f672c33c7ebace8c04e667f610347a1ad8785705
Opcode Fuzzy Hash: 1faa22bac04b8ae0de1e7abfe816db434c11d6508cf4f604316aa8c4326f330c
Instruction Fuzzy Hash: C621DDB1E00268DBDB08EFE8D854BAEBBB5EF44700F10465DEC06A7340DB749A84DB95

Function 02C52AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 02C52AEA
connect.WS2_32(?,?,?), ref: 02C52AF5

Strings

3', xrefs: 02C52B3B

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: ErrorLastconnect
String ID: 3'
API String ID: 374722065-280543908
Opcode ID: 32af3deda293806e66fe435f96bb58f93586f9d98067d4215334a984d56b98d8
Instruction ID: 69b80766d93bc6eeb5bd37723b4114ecf66a7bb6ef980fd9581f909efc9fd919
Opcode Fuzzy Hash: 32af3deda293806e66fe435f96bb58f93586f9d98067d4215334a984d56b98d8
Instruction Fuzzy Hash: E521CC70E002149BCF14EFB4C4486BEB7FAEF84364F004559DD19A3281EBB4C6459FA5

Function 02C5534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C5535D

Part of subcall function 02C62F8C: __FF_MSGBANNER.LIBCMT ref: 02C62FA3
Part of subcall function 02C62F8C: __NMSG_WRITE.LIBCMT ref: 02C62FAA
Part of subcall function 02C62F8C: RtlAllocateHeap.NTDLL(00680000,00000000,00000001), ref: 02C62FCF

SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02C5536F

Strings

\save.dat, xrefs: 02C55383

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: AllocateFolderHeapPathSpecial_malloc
String ID: \save.dat
API String ID: 4128168839-3580179773
Opcode ID: 25bb9828eb95ad7bb2e4b2697ceb68aad28a8b4ff4d1f0422a856a620f6040ea
Instruction ID: f11f9ca0a3b6290f9080044410fbce2947251e7a352f545464933f69d589c08e
Opcode Fuzzy Hash: 25bb9828eb95ad7bb2e4b2697ceb68aad28a8b4ff4d1f0422a856a620f6040ea
Instruction Fuzzy Hash: B6117D729042546BDB258E658CC4A6FFF6BDF82AA0B1002A9EC4D67201D7A34E02D6A0

Function 00403955 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe,00000104,?,00000000,?,?,?,?,00402F3E), ref: 00403978

Strings

C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe, xrefs: 0040396C, 00403976, 0040399B, 004039D1
@6h, xrefs: 0040397E

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: FileModuleName
String ID: @6h$C:\Users\user\AppData\Local\Zexter Video Codec\zextervideocodec32_64.exe
API String ID: 514040917-2668913478
Opcode ID: d19cce7575ed6d861219ae6d36446b8f64fb1756d8bebb839f01d6491cfa05e1
Instruction ID: 9770bf3b923bf3f526403b81e464c5a22b29ad6242be3ce84e47a5001c686f92
Opcode Fuzzy Hash: d19cce7575ed6d861219ae6d36446b8f64fb1756d8bebb839f01d6491cfa05e1
Instruction Fuzzy Hash: 24113DB6900118BFD711EFA9DDC1C9B7BACEA45758B01027AF541F7281E6746E04CBA4

Function 02C53965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C5396A
std::runtime_error::runtime_error.LIBCPMT ref: 02C539C1

Part of subcall function 02C51410: std::exception::exception.LIBCMT ref: 02C51428

Part of subcall function 02C5A5F4: __EH_prolog.LIBCMT ref: 02C5A5F9
Part of subcall function 02C5A5F4: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C5A608
Part of subcall function 02C5A5F4: __CxxThrowException@8.LIBCMT ref: 02C5A627

Strings

Day of month is not valid for year, xrefs: 02C539AC

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Day of month is not valid for year
API String ID: 1404951899-1521898139
Opcode ID: 39f7ab3fccc3db39f28cfebee330031e6bd1290fcab135c14c26b516afb76301
Instruction ID: 20a302ee72c266af42ab74e8ace4529a856dfedc1d58128883d41b455a8a752c
Opcode Fuzzy Hash: 39f7ab3fccc3db39f28cfebee330031e6bd1290fcab135c14c26b516afb76301
Instruction Fuzzy Hash: D401D47A81025DAADF04EFA4D805AEEB779FF18710F40411AED05A3300EB708B85DB99

Function 02C5B0D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 02C5FAED
__CxxThrowException@8.LIBCMT ref: 02C5FB02

Part of subcall function 02C63B2C: _malloc.LIBCMT ref: 02C63B44

Strings

bad allocation, xrefs: 02C5FAE2

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: bad allocation
API String ID: 4063778783-2104205924
Opcode ID: c2723150d40f2cdaafa0e7a17b62dd28bcea20bb31d3af201ed073bdbff9dddc
Instruction ID: 4b9e9ce3a89503e0e9286e2ff37b876641a00ccb47a10c8b0311a97dfab69af2
Opcode Fuzzy Hash: c2723150d40f2cdaafa0e7a17b62dd28bcea20bb31d3af201ed073bdbff9dddc
Instruction Fuzzy Hash: 9EF027F070031E679F08FAA989599BF77EDEF44218F400569E921D3A80EB70EE40C5D9

Function 02C53C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C53C1B
std::bad_exception::bad_exception.LIBCMT ref: 02C53C30

Part of subcall function 02C62497: std::exception::exception.LIBCMT ref: 02C624A1

Part of subcall function 02C5A62D: __EH_prolog.LIBCMT ref: 02C5A632
Part of subcall function 02C5A62D: __CxxThrowException@8.LIBCMT ref: 02C5A65B

Strings

bad cast, xrefs: 02C53C28

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 1300498068-3145022300
Opcode ID: 5c932e3a6b301a30927a63b6e4c39be3733c9ced81a757c8e93d007e366ae25c
Instruction ID: a736853f642ec8a1636aa5dc933b9d89b0df5a7b3abe53095def7e4f7cc25f9a
Opcode Fuzzy Hash: 5c932e3a6b301a30927a63b6e4c39be3733c9ced81a757c8e93d007e366ae25c
Instruction Fuzzy Hash: 19F0E572D00504CBC709DF58D440AEAB775EF55352F1001AEEE0A5B250CBB2DA46DBD5

Function 02C538CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C538D2
std::runtime_error::runtime_error.LIBCPMT ref: 02C538F1

Part of subcall function 02C51410: std::exception::exception.LIBCMT ref: 02C51428

Part of subcall function 02C58962: _memmove.LIBCMT ref: 02C58982

Strings

Year is out of valid range: 1400..10000, xrefs: 02C538E0

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
String ID: Year is out of valid range: 1400..10000
API String ID: 3258419250-2344417016
Opcode ID: 0542cc3631b07de9696851c769fb8f868ad36e3f4dadbcd713ea4622c9c2fb8e
Instruction ID: 15ad9f10886a7051aa8aa1b2ae67ff67fd721d98785baf1dc4c1430020f2ee17
Opcode Fuzzy Hash: 0542cc3631b07de9696851c769fb8f868ad36e3f4dadbcd713ea4622c9c2fb8e
Instruction Fuzzy Hash: E8E0D872A402149BD714EBD48C157EDB779DB08B10F00055ADD0677680DBF15984DB95

Function 02C53881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C53886
std::runtime_error::runtime_error.LIBCPMT ref: 02C538A5

Part of subcall function 02C51410: std::exception::exception.LIBCMT ref: 02C51428

Part of subcall function 02C58962: _memmove.LIBCMT ref: 02C58982

Strings

Day of month value is out of range 1..31, xrefs: 02C53894

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
String ID: Day of month value is out of range 1..31
API String ID: 3258419250-1361117730
Opcode ID: 1c18a73002d0265ecaae4c01c35b9f968b09283726f6d046b71e1ee2c8e7e52c
Instruction ID: 7047476fba656905b7508fd2d049d9d0a4e935930fe15a2164ad914964acb62c
Opcode Fuzzy Hash: 1c18a73002d0265ecaae4c01c35b9f968b09283726f6d046b71e1ee2c8e7e52c
Instruction Fuzzy Hash: EFE0D872A402149BD714AB948C15BEDB779DB08B50F40015EDD0677680DBF15984DBD5

Function 02C53919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C5391E
std::runtime_error::runtime_error.LIBCPMT ref: 02C5393D

Part of subcall function 02C51410: std::exception::exception.LIBCMT ref: 02C51428

Part of subcall function 02C58962: _memmove.LIBCMT ref: 02C58982

Strings

Month number is out of range 1..12, xrefs: 02C5392C

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
String ID: Month number is out of range 1..12
API String ID: 3258419250-4198407886
Opcode ID: 14996599c83dfe1467ea0e5ba5811ecc7263ee9c2ab626a78491f83484bd46c7
Instruction ID: 4de87d183c9683da52e0e455487104e74c0a6fe08d32d405968a2783f8189ca2
Opcode Fuzzy Hash: 14996599c83dfe1467ea0e5ba5811ecc7263ee9c2ab626a78491f83484bd46c7
Instruction Fuzzy Hash: 74E0D872A402149BD718BB948C167EDB779EB08B10F10019ADD0677680DBF15984DBD9

Function 02C519C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 02C519CC
GetLastError.KERNEL32 ref: 02C519D9

Part of subcall function 02C51712: __EH_prolog.LIBCMT ref: 02C51717

Strings

tss, xrefs: 02C519E8

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: AllocErrorH_prologLast
String ID: tss
API String ID: 249634027-1638339373
Opcode ID: 23ad666cdd6aaf41615ec9dbfe5c147db1a5a90fd9a7174bfbda4cb76b3c3b2b
Instruction ID: a679208625fad0fa9aa71c3a27861a0a9651acc41a58526199905af3509738ae
Opcode Fuzzy Hash: 23ad666cdd6aaf41615ec9dbfe5c147db1a5a90fd9a7174bfbda4cb76b3c3b2b
Instruction Fuzzy Hash: ECE08631D442245BC3007B7CD84C19FFBA4AA45270F108766ECA9932D0EA7089549BD6

Function 02C53BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C53BD8
std::bad_exception::bad_exception.LIBCMT ref: 02C53BED

Part of subcall function 02C62497: std::exception::exception.LIBCMT ref: 02C624A1

Part of subcall function 02C5A62D: __EH_prolog.LIBCMT ref: 02C5A632
Part of subcall function 02C5A62D: __CxxThrowException@8.LIBCMT ref: 02C5A65B

Strings

bad cast, xrefs: 02C53BE5

Memory Dump Source

Source File: 00000003.00000002.3386487013.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c51000_zextervideocodec32_64.jbxd

Yara matches

Similarity

API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 1300498068-3145022300
Opcode ID: 14daa62544c664eb178b04c5b5519ca930842a0915ec38f61b1275b354be1314
Instruction ID: 19f51af0c52f42516f1e28df3605392f90749e752d0f5ec3c4dce39d14ca6dc7
Opcode Fuzzy Hash: 14daa62544c664eb178b04c5b5519ca930842a0915ec38f61b1275b354be1314
Instruction Fuzzy Hash: 64E0DFB0900108DBC704EF54D541BBCBB71EF04301F0040AC9D060B790CB318A46DE86

Function 00404A70 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404A98
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404ACC
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404AE6
HeapFree.KERNEL32(00000000,?,?,00000000,00404838,?,?,?,00000100,?,00000000), ref: 00404AFD

Memory Dump Source

Source File: 00000003.00000002.3383048193.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3383048193.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zextervideocodec32_64.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
Instruction ID: e2b6aa67baf941fda6b0a0502f281f3949fe5c10b928d307e266fea8edbc1969
Opcode Fuzzy Hash: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
Instruction Fuzzy Hash: 1E1113B0201601EFC7208F19EE85E227BB5FB857217114A3AF692E65F1D770A845CB4C

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Xzm9fAfKhB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Socks5Systemz

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\EMAIL Safe Storage 10.2.46\EMAIL Safe Storage 10.2.46.exe

C:\ProgramData\em102it46.dat

C:\ProgramData\em102rc46.dat

C:\ProgramData\em102resa.dat

C:\ProgramData\em102resb.dat

C:\Users\user\AppData\Local\Temp\is-5LAS4.tmp\Xzm9fAfKhB.tmp

C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_RegDLL.tmp

C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_iscrypt.dll

C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-8ASKQ.tmp\_isetup\_shfoldr.dll

C:\Users\user\AppData\Local\Zexter Video Codec\is-0CKRF.tmp

C:\Users\user\AppData\Local\Zexter Video Codec\is-199CA.tmp

C:\Users\user\AppData\Local\Zexter Video Codec\is-3AK63.tmp

C:\Users\user\AppData\Local\Zexter Video Codec\is-4QN63.tmp

C:\Users\user\AppData\Local\Zexter Video Codec\is-57AK2.tmp

Windows Analysis Report
Xzm9fAfKhB.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre