Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe

Overview

General Information

Sample name:SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe
Analysis ID:1520807
MD5:e3bf1bd1bb1678eca7bc20f0de65fb4f
SHA1:b38add3571b79a31f906cfb92c895d9a65a8d14b
SHA256:7766b5020c69d2f96d2d86100ee8137ed27764b0b21dddbd398d5b06b3002275
Tags:exe
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
PE file has a writeable .text section
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe (PID: 3168 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe" MD5: E3BF1BD1BB1678ECA7BC20F0DE65FB4F)
    • SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp (PID: 3604 cmdline: "C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp" /SL5="$10434,2865995,56832,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe" MD5: ED4730120FE89130C401E2280D614D75)
      • gerdaplay3se32_64.exe (PID: 772 cmdline: "C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe" -i MD5: C26B00F4D8662FF6FAF6841BDAED9586)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["heketoh.net"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2906105184.0000000002B69000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: gerdaplay3se32_64.exe PID: 772JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-09-27T23:30:51.433551+020020494671A Network Trojan was detected192.168.2.449736185.196.8.21480TCP
        2024-09-27T23:30:58.182310+020020494671A Network Trojan was detected192.168.2.449738185.196.8.21480TCP
        2024-09-27T23:31:04.885128+020020494671A Network Trojan was detected192.168.2.449739185.196.8.21480TCP
        2024-09-27T23:31:10.685863+020020494671A Network Trojan was detected192.168.2.44974045.155.250.12880TCP
        2024-09-27T23:31:13.697755+020020494671A Network Trojan was detected192.168.2.44974045.155.250.12880TCP
        2024-09-27T23:31:14.579307+020020494671A Network Trojan was detected192.168.2.44974245.155.250.12880TCP
        2024-09-27T23:31:15.504584+020020494671A Network Trojan was detected192.168.2.44974445.155.250.12880TCP
        2024-09-27T23:31:15.885024+020020494671A Network Trojan was detected192.168.2.44974445.155.250.12880TCP
        2024-09-27T23:31:16.763416+020020494671A Network Trojan was detected192.168.2.44974545.155.250.12880TCP
        2024-09-27T23:31:17.670685+020020494671A Network Trojan was detected192.168.2.44974645.155.250.12880TCP
        2024-09-27T23:31:18.570556+020020494671A Network Trojan was detected192.168.2.44974745.155.250.12880TCP
        2024-09-27T23:31:19.491503+020020494671A Network Trojan was detected192.168.2.44974845.155.250.12880TCP
        2024-09-27T23:31:19.889751+020020494671A Network Trojan was detected192.168.2.44974845.155.250.12880TCP
        2024-09-27T23:31:20.728634+020020494671A Network Trojan was detected192.168.2.44974945.155.250.12880TCP
        2024-09-27T23:31:21.633021+020020494671A Network Trojan was detected192.168.2.44975045.155.250.12880TCP
        2024-09-27T23:31:22.545452+020020494671A Network Trojan was detected192.168.2.44975145.155.250.12880TCP
        2024-09-27T23:31:23.400715+020020494671A Network Trojan was detected192.168.2.44975245.155.250.12880TCP
        2024-09-27T23:31:24.264093+020020494671A Network Trojan was detected192.168.2.44975345.155.250.12880TCP
        2024-09-27T23:31:25.164603+020020494671A Network Trojan was detected192.168.2.44975445.155.250.12880TCP
        2024-09-27T23:31:26.091434+020020494671A Network Trojan was detected192.168.2.44975545.155.250.12880TCP
        2024-09-27T23:31:26.941817+020020494671A Network Trojan was detected192.168.2.44975645.155.250.12880TCP
        2024-09-27T23:31:27.781324+020020494671A Network Trojan was detected192.168.2.44975745.155.250.12880TCP
        2024-09-27T23:31:28.631658+020020494671A Network Trojan was detected192.168.2.44975845.155.250.12880TCP
        2024-09-27T23:31:29.478363+020020494671A Network Trojan was detected192.168.2.44975945.155.250.12880TCP
        2024-09-27T23:31:29.853516+020020494671A Network Trojan was detected192.168.2.44975945.155.250.12880TCP
        2024-09-27T23:31:31.624022+020020494671A Network Trojan was detected192.168.2.44976045.155.250.12880TCP
        2024-09-27T23:31:32.506702+020020494671A Network Trojan was detected192.168.2.44976145.155.250.12880TCP
        2024-09-27T23:31:32.883431+020020494671A Network Trojan was detected192.168.2.44976145.155.250.12880TCP
        2024-09-27T23:31:33.727463+020020494671A Network Trojan was detected192.168.2.44976245.155.250.12880TCP
        2024-09-27T23:31:34.597846+020020494671A Network Trojan was detected192.168.2.44976345.155.250.12880TCP
        2024-09-27T23:31:35.519771+020020494671A Network Trojan was detected192.168.2.44976445.155.250.12880TCP
        2024-09-27T23:31:36.341997+020020494671A Network Trojan was detected192.168.2.44976545.155.250.12880TCP
        2024-09-27T23:31:37.179408+020020494671A Network Trojan was detected192.168.2.44976645.155.250.12880TCP
        2024-09-27T23:31:38.054745+020020494671A Network Trojan was detected192.168.2.44976745.155.250.12880TCP
        2024-09-27T23:31:38.418274+020020494671A Network Trojan was detected192.168.2.44976745.155.250.12880TCP
        2024-09-27T23:31:39.255678+020020494671A Network Trojan was detected192.168.2.44976845.155.250.12880TCP
        2024-09-27T23:31:39.619366+020020494671A Network Trojan was detected192.168.2.44976845.155.250.12880TCP
        2024-09-27T23:31:40.445356+020020494671A Network Trojan was detected192.168.2.44976945.155.250.12880TCP
        2024-09-27T23:31:41.369534+020020494671A Network Trojan was detected192.168.2.44977045.155.250.12880TCP
        2024-09-27T23:31:42.213051+020020494671A Network Trojan was detected192.168.2.44977145.155.250.12880TCP
        2024-09-27T23:31:43.033266+020020494671A Network Trojan was detected192.168.2.44977245.155.250.12880TCP
        2024-09-27T23:31:43.920621+020020494671A Network Trojan was detected192.168.2.44977345.155.250.12880TCP
        2024-09-27T23:31:44.749560+020020494671A Network Trojan was detected192.168.2.44977445.155.250.12880TCP
        2024-09-27T23:31:45.578373+020020494671A Network Trojan was detected192.168.2.44977545.155.250.12880TCP
        2024-09-27T23:31:46.400881+020020494671A Network Trojan was detected192.168.2.44977645.155.250.12880TCP
        2024-09-27T23:31:47.250686+020020494671A Network Trojan was detected192.168.2.44977745.155.250.12880TCP
        2024-09-27T23:31:48.084804+020020494671A Network Trojan was detected192.168.2.44977845.155.250.12880TCP
        2024-09-27T23:31:48.916872+020020494671A Network Trojan was detected192.168.2.44977945.155.250.12880TCP
        2024-09-27T23:31:49.931624+020020494671A Network Trojan was detected192.168.2.44978045.155.250.12880TCP
        2024-09-27T23:31:50.762993+020020494671A Network Trojan was detected192.168.2.44978145.155.250.12880TCP
        2024-09-27T23:31:51.599294+020020494671A Network Trojan was detected192.168.2.44978245.155.250.12880TCP
        2024-09-27T23:31:52.536822+020020494671A Network Trojan was detected192.168.2.44978345.155.250.12880TCP
        2024-09-27T23:31:53.371113+020020494671A Network Trojan was detected192.168.2.44978445.155.250.12880TCP
        2024-09-27T23:31:54.261607+020020494671A Network Trojan was detected192.168.2.44978545.155.250.12880TCP
        2024-09-27T23:31:55.212742+020020494671A Network Trojan was detected192.168.2.44978645.155.250.12880TCP
        2024-09-27T23:31:56.086627+020020494671A Network Trojan was detected192.168.2.44978745.155.250.12880TCP
        2024-09-27T23:31:56.994568+020020494671A Network Trojan was detected192.168.2.44978845.155.250.12880TCP
        2024-09-27T23:31:57.827499+020020494671A Network Trojan was detected192.168.2.44978945.155.250.12880TCP
        2024-09-27T23:31:58.662698+020020494671A Network Trojan was detected192.168.2.44979045.155.250.12880TCP
        2024-09-27T23:31:59.563816+020020494671A Network Trojan was detected192.168.2.44979145.155.250.12880TCP
        2024-09-27T23:32:00.440828+020020494671A Network Trojan was detected192.168.2.44979245.155.250.12880TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-09-27T23:30:51.433551+020020501121A Network Trojan was detected192.168.2.449736185.196.8.21480TCP
        2024-09-27T23:30:58.182310+020020501121A Network Trojan was detected192.168.2.449738185.196.8.21480TCP
        2024-09-27T23:31:04.885128+020020501121A Network Trojan was detected192.168.2.449739185.196.8.21480TCP
        2024-09-27T23:31:10.685863+020020501121A Network Trojan was detected192.168.2.44974045.155.250.12880TCP
        2024-09-27T23:31:13.697755+020020501121A Network Trojan was detected192.168.2.44974045.155.250.12880TCP
        2024-09-27T23:31:14.579307+020020501121A Network Trojan was detected192.168.2.44974245.155.250.12880TCP
        2024-09-27T23:31:15.504584+020020501121A Network Trojan was detected192.168.2.44974445.155.250.12880TCP
        2024-09-27T23:31:15.885024+020020501121A Network Trojan was detected192.168.2.44974445.155.250.12880TCP
        2024-09-27T23:31:16.763416+020020501121A Network Trojan was detected192.168.2.44974545.155.250.12880TCP
        2024-09-27T23:31:17.670685+020020501121A Network Trojan was detected192.168.2.44974645.155.250.12880TCP
        2024-09-27T23:31:18.570556+020020501121A Network Trojan was detected192.168.2.44974745.155.250.12880TCP
        2024-09-27T23:31:19.491503+020020501121A Network Trojan was detected192.168.2.44974845.155.250.12880TCP
        2024-09-27T23:31:19.889751+020020501121A Network Trojan was detected192.168.2.44974845.155.250.12880TCP
        2024-09-27T23:31:20.728634+020020501121A Network Trojan was detected192.168.2.44974945.155.250.12880TCP
        2024-09-27T23:31:21.633021+020020501121A Network Trojan was detected192.168.2.44975045.155.250.12880TCP
        2024-09-27T23:31:22.545452+020020501121A Network Trojan was detected192.168.2.44975145.155.250.12880TCP
        2024-09-27T23:31:23.400715+020020501121A Network Trojan was detected192.168.2.44975245.155.250.12880TCP
        2024-09-27T23:31:24.264093+020020501121A Network Trojan was detected192.168.2.44975345.155.250.12880TCP
        2024-09-27T23:31:25.164603+020020501121A Network Trojan was detected192.168.2.44975445.155.250.12880TCP
        2024-09-27T23:31:26.091434+020020501121A Network Trojan was detected192.168.2.44975545.155.250.12880TCP
        2024-09-27T23:31:26.941817+020020501121A Network Trojan was detected192.168.2.44975645.155.250.12880TCP
        2024-09-27T23:31:27.781324+020020501121A Network Trojan was detected192.168.2.44975745.155.250.12880TCP
        2024-09-27T23:31:28.631658+020020501121A Network Trojan was detected192.168.2.44975845.155.250.12880TCP
        2024-09-27T23:31:29.478363+020020501121A Network Trojan was detected192.168.2.44975945.155.250.12880TCP
        2024-09-27T23:31:29.853516+020020501121A Network Trojan was detected192.168.2.44975945.155.250.12880TCP
        2024-09-27T23:31:31.624022+020020501121A Network Trojan was detected192.168.2.44976045.155.250.12880TCP
        2024-09-27T23:31:32.506702+020020501121A Network Trojan was detected192.168.2.44976145.155.250.12880TCP
        2024-09-27T23:31:32.883431+020020501121A Network Trojan was detected192.168.2.44976145.155.250.12880TCP
        2024-09-27T23:31:33.727463+020020501121A Network Trojan was detected192.168.2.44976245.155.250.12880TCP
        2024-09-27T23:31:34.597846+020020501121A Network Trojan was detected192.168.2.44976345.155.250.12880TCP
        2024-09-27T23:31:35.519771+020020501121A Network Trojan was detected192.168.2.44976445.155.250.12880TCP
        2024-09-27T23:31:36.341997+020020501121A Network Trojan was detected192.168.2.44976545.155.250.12880TCP
        2024-09-27T23:31:37.179408+020020501121A Network Trojan was detected192.168.2.44976645.155.250.12880TCP
        2024-09-27T23:31:38.054745+020020501121A Network Trojan was detected192.168.2.44976745.155.250.12880TCP
        2024-09-27T23:31:38.418274+020020501121A Network Trojan was detected192.168.2.44976745.155.250.12880TCP
        2024-09-27T23:31:39.255678+020020501121A Network Trojan was detected192.168.2.44976845.155.250.12880TCP
        2024-09-27T23:31:39.619366+020020501121A Network Trojan was detected192.168.2.44976845.155.250.12880TCP
        2024-09-27T23:31:40.445356+020020501121A Network Trojan was detected192.168.2.44976945.155.250.12880TCP
        2024-09-27T23:31:41.369534+020020501121A Network Trojan was detected192.168.2.44977045.155.250.12880TCP
        2024-09-27T23:31:42.213051+020020501121A Network Trojan was detected192.168.2.44977145.155.250.12880TCP
        2024-09-27T23:31:43.033266+020020501121A Network Trojan was detected192.168.2.44977245.155.250.12880TCP
        2024-09-27T23:31:43.920621+020020501121A Network Trojan was detected192.168.2.44977345.155.250.12880TCP
        2024-09-27T23:31:44.749560+020020501121A Network Trojan was detected192.168.2.44977445.155.250.12880TCP
        2024-09-27T23:31:45.578373+020020501121A Network Trojan was detected192.168.2.44977545.155.250.12880TCP
        2024-09-27T23:31:46.400881+020020501121A Network Trojan was detected192.168.2.44977645.155.250.12880TCP
        2024-09-27T23:31:47.250686+020020501121A Network Trojan was detected192.168.2.44977745.155.250.12880TCP
        2024-09-27T23:31:48.084804+020020501121A Network Trojan was detected192.168.2.44977845.155.250.12880TCP
        2024-09-27T23:31:48.916872+020020501121A Network Trojan was detected192.168.2.44977945.155.250.12880TCP
        2024-09-27T23:31:49.931624+020020501121A Network Trojan was detected192.168.2.44978045.155.250.12880TCP
        2024-09-27T23:31:50.762993+020020501121A Network Trojan was detected192.168.2.44978145.155.250.12880TCP
        2024-09-27T23:31:51.599294+020020501121A Network Trojan was detected192.168.2.44978245.155.250.12880TCP
        2024-09-27T23:31:52.536822+020020501121A Network Trojan was detected192.168.2.44978345.155.250.12880TCP
        2024-09-27T23:31:53.371113+020020501121A Network Trojan was detected192.168.2.44978445.155.250.12880TCP
        2024-09-27T23:31:54.261607+020020501121A Network Trojan was detected192.168.2.44978545.155.250.12880TCP
        2024-09-27T23:31:55.212742+020020501121A Network Trojan was detected192.168.2.44978645.155.250.12880TCP
        2024-09-27T23:31:56.086627+020020501121A Network Trojan was detected192.168.2.44978745.155.250.12880TCP
        2024-09-27T23:31:56.994568+020020501121A Network Trojan was detected192.168.2.44978845.155.250.12880TCP
        2024-09-27T23:31:57.827499+020020501121A Network Trojan was detected192.168.2.44978945.155.250.12880TCP
        2024-09-27T23:31:58.662698+020020501121A Network Trojan was detected192.168.2.44979045.155.250.12880TCP
        2024-09-27T23:31:59.563816+020020501121A Network Trojan was detected192.168.2.44979145.155.250.12880TCP
        2024-09-27T23:32:00.440828+020020501121A Network Trojan was detected192.168.2.44979245.155.250.12880TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: gerdaplay3se32_64.exe.772.2.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["heketoh.net"]}
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0045D230 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D230
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0045D2E4 ArcFourCrypt,1_2_0045D2E4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0045D2FC ArcFourCrypt,1_2_0045D2FC
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeUnpacked PE file: 2.2.gerdaplay3se32_64.exe.400000.0.unpack
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1Jump to behavior
        Source: Binary string: msvcp71.pdbx# source: is-398M1.tmp.1.dr
        Source: Binary string: msvcr71.pdb< source: is-VF024.tmp.1.dr
        Source: Binary string: F:\Temp\openssl-1.1.1t\libssl-1_1.pdb source: is-56VFF.tmp.1.dr
        Source: Binary string: msvcp71.pdb source: is-398M1.tmp.1.dr
        Source: Binary string: msvcr71.pdb source: is-VF024.tmp.1.dr
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00452AD4 FindFirstFileA,GetLastError,1_2_00452AD4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004753C4 FindFirstFileA,FindNextFileA,FindClose,1_2_004753C4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00464200 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464200
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0049877C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_0049877C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004627F8 FindFirstFileA,FindNextFileA,FindClose,1_2_004627F8
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00463D84 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463D84

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49749 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49749 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49738 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49738 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49744 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49744 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49740 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49740 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49754 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49754 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49782 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49782 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49771 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49771 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49760 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49756 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49756 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49736 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49784 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49760 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49784 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49790 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49752 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49781 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49752 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49753 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49753 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49780 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49757 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49769 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49736 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49757 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49781 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49769 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49746 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49780 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49755 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49755 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49745 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49762 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49764 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49742 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49762 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49764 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49742 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49746 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49787 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49776 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49787 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49776 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49775 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49775 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49792 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49792 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49790 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49773 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49773 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49791 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49791 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49777 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49751 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49777 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49765 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49765 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49745 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49759 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49786 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49786 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49759 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49788 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49788 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49785 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49751 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49761 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49761 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49770 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49767 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49767 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49763 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49763 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49770 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49768 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49768 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49778 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49785 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49766 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49766 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49778 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49772 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49772 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49758 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49758 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49789 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49789 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49774 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49774 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49783 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49783 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49779 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49779 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49750 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49750 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49739 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49739 -> 185.196.8.214:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49747 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49747 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49748 -> 45.155.250.128:80
        Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49748 -> 45.155.250.128:80
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: heketoh.net
        Source: global trafficTCP traffic: 192.168.2.4:49741 -> 195.154.173.35:2023
        Source: Joe Sandbox ViewIP Address: 195.154.173.35 195.154.173.35
        Source: Joe Sandbox ViewIP Address: 185.196.8.214 185.196.8.214
        Source: Joe Sandbox ViewASN Name: MEER-ASmeerfarbigGmbHCoKGDE MEER-ASmeerfarbigGmbHCoKGDE
        Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1Host: bngrkdw.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1Host: bngrkdw.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1Host: bngrkdw.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownTCP traffic detected without corresponding DNS query: 195.154.173.35
        Source: unknownTCP traffic detected without corresponding DNS query: 195.154.173.35
        Source: unknownTCP traffic detected without corresponding DNS query: 195.154.173.35
        Source: unknownTCP traffic detected without corresponding DNS query: 195.154.173.35
        Source: unknownTCP traffic detected without corresponding DNS query: 195.154.173.35
        Source: unknownTCP traffic detected without corresponding DNS query: 195.154.173.35
        Source: unknownTCP traffic detected without corresponding DNS query: 195.154.173.35
        Source: unknownTCP traffic detected without corresponding DNS query: 195.154.173.35
        Source: unknownTCP traffic detected without corresponding DNS query: 195.154.173.35
        Source: unknownTCP traffic detected without corresponding DNS query: 195.154.173.35
        Source: unknownUDP traffic detected without corresponding DNS query: 152.89.198.214
        Source: unknownUDP traffic detected without corresponding DNS query: 152.89.198.214
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C172AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_strtok,_swscanf,_strtok,_free,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_free,2_2_02C172AB
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1Host: bngrkdw.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1Host: bngrkdw.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1Host: bngrkdw.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1Host: heketoh.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficDNS traffic detected: DNS query: bngrkdw.com
        Source: global trafficDNS traffic detected: DNS query: heketoh.net
        Source: gerdaplay3se32_64.exe, 00000002.00000002.2905537682.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.214/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df1
        Source: gerdaplay3se32_64.exe, 00000002.00000002.2905537682.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.155.250.128/
        Source: gerdaplay3se32_64.exe, 00000002.00000002.2906661547.0000000003438000.00000004.00000020.00020000.00000000.sdmp, gerdaplay3se32_64.exe, 00000002.00000002.2907201701.00000000037C2000.00000004.00000020.00020000.00000000.sdmp, gerdaplay3se32_64.exe, 00000002.00000002.2905537682.0000000000AF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.155.250.128/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e
        Source: gerdaplay3se32_64.exe, 00000002.00000002.2905537682.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.155.250.128/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, 00000001.00000002.2906299541.0000000005C32000.00000004.00001000.00020000.00000000.sdmp, gerdaplay3se32_64.exe, 00000002.00000003.1674692134.00000000026BF000.00000004.00000020.00020000.00000000.sdmp, gerdaplay3se32_64.exe, 00000002.00000000.1674006062.0000000000636000.00000002.00000001.01000000.00000009.sdmp, Eclipse IO Library 9.27.43.exe.2.dr, is-I2BMO.tmp.1.dr, gerdaplay3se32_64.exe.1.drString found in binary or memory: http://acritum.com/ocb/
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
        Source: is-56VFF.tmp.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
        Source: is-56VFF.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
        Source: is-56VFF.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
        Source: is-56VFF.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: is-56VFF.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
        Source: is-56VFF.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
        Source: is-56VFF.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://cscasha2.ocsp-certum.com04
        Source: is-56VFF.tmp.1.drString found in binary or memory: http://ocsp.comodoca.com0
        Source: is-56VFF.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://ocsp.thawte.com0
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://repository.certum.pl/cscasha2.cer0
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://s.symcd.com06
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://subca.ocsp-certum.com01
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://www.certum.pl/CPS0
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UKL5U.tmp.1.dr, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp.0.drString found in binary or memory: http://www.innosetup.com/
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: http://www.openssl.org/f
        Source: is-UM35I.tmp.1.drString found in binary or memory: http://www.openssl.org/support/faq.html
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, 00000000.00000003.1659481161.0000000002330000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, 00000000.00000003.1659962647.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UKL5U.tmp.1.dr, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, 00000000.00000003.1659481161.0000000002330000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, 00000000.00000003.1659962647.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UKL5U.tmp.1.dr, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: https://d.symcb.com/cps0%
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0.
        Source: is-56VFF.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0
        Source: is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drString found in binary or memory: https://www.certum.pl/CPS0
        Source: is-56VFF.tmp.1.drString found in binary or memory: https://www.openssl.org/H

        System Summary

        barindex
        PE file has a writeable .text section
        Source: gerdaplay3se32_64.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: Eclipse IO Library 9.27.43.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0042F594 NtdllDefWindowProc_A,1_2_0042F594
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00423B94 NtdllDefWindowProc_A,1_2_00423B94
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004125E8 NtdllDefWindowProc_A,1_2_004125E8
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00478EFC NtdllDefWindowProc_A,1_2_00478EFC
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_0045763C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E944
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_0045568C
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_0040840C0_2_0040840C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004708A01_2_004708A0
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00480E7E1_2_00480E7E
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0043533C1_2_0043533C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0046744C1_2_0046744C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004880141_2_00488014
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004303D01_2_004303D0
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0048E4AC1_2_0048E4AC
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0044453C1_2_0044453C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004346381_2_00434638
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00444AE41_2_00444AE4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00430F5C1_2_00430F5C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004870B41_2_004870B4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0045F16C1_2_0045F16C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004451DC1_2_004451DC
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0045B21C1_2_0045B21C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004694C81_2_004694C8
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004455E81_2_004455E8
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00451A301_2_00451A30
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0043DDC41_2_0043DDC4
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_004010512_2_00401051
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_00401C262_2_00401C26
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C2E18D2_2_02C2E18D
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C29E842_2_02C29E84
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C34E292_2_02C34E29
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C1EFB12_2_02C1EFB1
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C2DC992_2_02C2DC99
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C284422_2_02C28442
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C2AC3A2_2_02C2AC3A
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C2E5A52_2_02C2E5A5
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C32DB42_2_02C32DB4
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C4B9502_2_02C4B950
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C4B4E52_2_02C4B4E5
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C4BCEB2_2_02C4BCEB
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C4BD582_2_02C4BD58
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00408C1C appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00406AD4 appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 0040596C appears 117 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00407904 appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00403400 appears 60 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00445E48 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00457FC4 appears 77 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00457DB8 appears 105 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00434550 appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00403494 appears 83 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 004533B8 appears 98 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00446118 appears 59 times
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: String function: 00403684 appears 227 times
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: String function: 02C35330 appears 139 times
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: String function: 02C28AE0 appears 37 times
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-UKL5U.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-UKL5U.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-UKL5U.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-9T8RA.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, 00000000.00000003.1659481161.0000000002330000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, 00000000.00000003.1659962647.0000000002108000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/26@2/3
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C208B8 FormatMessageA,GetLastError,2_2_02C208B8
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_0045568C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455EB4
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0040270C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0046E1E4 GetVersion,CoCreateInstance,1_2_0046E1E4
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_0040254E StartServiceCtrlDispatcherA,2_2_0040254E
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_0040254E StartServiceCtrlDispatcherA,2_2_0040254E
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeFile created: C:\Users\user\AppData\Local\Temp\is-42905.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeString found in binary or memory: /LOADINF="filename"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeProcess created: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp "C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp" /SL5="$10434,2865995,56832,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess created: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe "C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe" -i
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeProcess created: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp "C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp" /SL5="$10434,2865995,56832,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess created: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe "C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe" -iJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: explorerframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: dsound.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1Jump to behavior
        Source: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeStatic file information: File size 3132268 > 1048576
        Source: Binary string: msvcp71.pdbx# source: is-398M1.tmp.1.dr
        Source: Binary string: msvcr71.pdb< source: is-VF024.tmp.1.dr
        Source: Binary string: F:\Temp\openssl-1.1.1t\libssl-1_1.pdb source: is-56VFF.tmp.1.dr
        Source: Binary string: msvcp71.pdb source: is-398M1.tmp.1.dr
        Source: Binary string: msvcr71.pdb source: is-VF024.tmp.1.dr

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeUnpacked PE file: 2.2.gerdaplay3se32_64.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeUnpacked PE file: 2.2.gerdaplay3se32_64.exe.400000.0.unpack
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00450334
        Source: is-9T8RA.tmp.1.drStatic PE information: section name: .eh_fram
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0048446C push 0048457Ah; ret 1_2_00484572
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0040995C push 00409999h; ret 1_2_00409991
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00458060 push 00458098h; ret 1_2_00458090
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax1_2_004062C5
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004104F0 push ecx; mov dword ptr [esp], edx1_2_004104F5
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00412938 push 0041299Bh; ret 1_2_00412993
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0049AD30 pushad ; retf 1_2_0049AD3F
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0040CE48 push ecx; mov dword ptr [esp], edx1_2_0040CE4A
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00459378 push 004593BCh; ret 1_2_004593B4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00495384 push ecx; mov dword ptr [esp], ecx1_2_00495389
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0040F3A8 push ecx; mov dword ptr [esp], edx1_2_0040F3AA
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004434B4 push ecx; mov dword ptr [esp], ecx1_2_004434B8
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0045186C push 0045189Fh; ret 1_2_00451897
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00451A30 push ecx; mov dword ptr [esp], eax1_2_00451A35
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00485B5C push ecx; mov dword ptr [esp], ecx1_2_00485B61
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00419C38 push ecx; mov dword ptr [esp], ecx1_2_00419C3D
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0045FDC4 push ecx; mov dword ptr [esp], ecx1_2_0045FDC8

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_00401A4F
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_02C1F7DA
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-398M1.tmpJump to dropped file
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeFile created: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-VF024.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\is-UKL5U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\libssl-1_1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-UM35I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeFile created: C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-9T8RA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\msvcr71.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\libeay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-VU6L0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\ssleay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\msvcp71.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpFile created: C:\Users\user\AppData\Local\Gerda Play3 SE\is-56VFF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeFile created: C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_00401A4F
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_02C1F7DA
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_0040254E StartServiceCtrlDispatcherA,2_2_0040254E
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,1_2_004241EC
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004241A4 IsIconic,SetActiveWindow,1_2_004241A4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418394
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042286C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,1_2_0042F2F0
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004175A8 IsIconic,GetCapture,1_2_004175A8
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00417CDE IsIconic,SetWindowPos,1_2_00417CDE
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CE0
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00483E20 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00483E20
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F128
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,2_2_00401B4B
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,2_2_02C1F8DE
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeWindow / User API: threadDelayed 1971Jump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeWindow / User API: threadDelayed 7917Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-398M1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\libssl-1_1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-VF024.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\is-UKL5U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-UM35I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-9T8RA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\msvcr71.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\libeay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-VU6L0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\msvcp71.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\ssleay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Gerda Play3 SE\is-56VFF.tmpJump to dropped file
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5976
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-20953
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe TID: 1596Thread sleep count: 1971 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe TID: 1596Thread sleep time: -3942000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe TID: 5232Thread sleep count: 39 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe TID: 5232Thread sleep time: -2340000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe TID: 1596Thread sleep count: 7917 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe TID: 1596Thread sleep time: -15834000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00452AD4 FindFirstFileA,GetLastError,1_2_00452AD4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004753C4 FindFirstFileA,FindNextFileA,FindClose,1_2_004753C4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00464200 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464200
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0049877C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_0049877C
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_004627F8 FindFirstFileA,FindNextFileA,FindClose,1_2_004627F8
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00463D84 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463D84
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeThread delayed: delay time: 60000Jump to behavior
        Source: gerdaplay3se32_64.exe, 00000002.00000002.2905537682.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, gerdaplay3se32_64.exe, 00000002.00000002.2905537682.0000000000B35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeAPI call chain: ExitProcess graph end nodegraph_0-6773
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeAPI call chain: ExitProcess graph end nodegraph_2-21173
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C300FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,2_2_02C300FE
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C300FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,2_2_02C300FE
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00450334
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C1648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,2_2_02C1648B
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C29468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_02C29468
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00478940 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478940
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,1_2_0042EE28
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E0AC
        Source: C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exeCode function: 2_2_02C1F792 cpuid 2_2_02C1F792
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: GetLocaleInfoA,0_2_0040520C
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: GetLocaleInfoA,0_2_00405258
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: GetLocaleInfoA,1_2_00408578
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: GetLocaleInfoA,1_2_004085C4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00458670 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_00458670
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmpCode function: 1_2_00455644 GetUserNameA,1_2_00455644
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000002.00000002.2906105184.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gerdaplay3se32_64.exe PID: 772, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000002.00000002.2906105184.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gerdaplay3se32_64.exe PID: 772, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		5
        Windows Service        		1
        DLL Side-Loading        		2
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        Service Execution        		1
        Bootkit        		1
        Access Token Manipulation        		2
        Software Packing        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
        Windows Service        		1
        DLL Side-Loading        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        Masquerading        		LSA Secrets41
        Security Software Discovery        		SSHKeylogging112
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
        Virtualization/Sandbox Evasion        		Cached Domain Credentials1
        Process Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Access Token Manipulation        		DCSync21
        Virtualization/Sandbox Evasion        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
        Process Injection        		Proc Filesystem11
        Application Window Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Bootkit        		/etc/passwd and /etc/shadow3
        System Owner/User Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
        Remote System Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
        System Network Configuration Discovery        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe11%ReversingLabsWin32.Trojan.Munp

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\is-398M1.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\is-56VFF.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\is-9T8RA.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\is-UM35I.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\is-VF024.tmp5%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\is-VU6L0.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\libeay32.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\libssl-1_1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\msvcp71.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\msvcr71.dll (copy)5%ReversingLabs
        C:\Users\user\AppData\Local\Gerda Play3 SE\ssleay32.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_iscrypt.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_shfoldr.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.innosetup.com/0%URL Reputationsafe
        https://sectigo.com/CPS00%URL Reputationsafe
        http://repository.certum.pl/ctnca.cer090%URL Reputationsafe
        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://crl.certum.pl/ctnca.crl0k0%URL Reputationsafe
        http://ocsp.thawte.com00%URL Reputationsafe
        http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
        https://www.certum.pl/CPS00%URL Reputationsafe
        http://www.openssl.org/support/faq.html0%URL Reputationsafe
        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
        http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
        http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
        http://subca.ocsp-certum.com010%URL Reputationsafe
        https://www.openssl.org/H0%URL Reputationsafe
        http://www.remobjects.com/ps0%URL Reputationsafe
        http://www.openssl.org/f0%URL Reputationsafe
        http://www.certum.pl/CPS00%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        heketoh.net
        		45.155.250.128
        		truetrue
          		unknown
          bngrkdw.com
          		185.196.8.214
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://heketoh.net/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3ctrue
              		unknown
              http://heketoh.net/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311true
                		unknown
                heketoh.nettrue
                  		unknown
                  http://bngrkdw.com/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3ctrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.innosetup.com/SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UKL5U.tmp.1.dr, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://sectigo.com/CPS0is-56VFF.tmp.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://repository.certum.pl/ctnca.cer09is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://repository.certum.pl/cscasha2.cer0is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                      		unknown
                      http://45.155.250.128/gerdaplay3se32_64.exe, 00000002.00000002.2905537682.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0is-56VFF.tmp.1.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.sectigo.com0is-56VFF.tmp.1.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.certum.pl/ctnca.crl0kis-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUSecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exefalse
                          		unknown
                          http://ocsp.thawte.com0is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#is-56VFF.tmp.1.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exefalse
                            		unknown
                            http://45.155.250.128/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908egerdaplay3se32_64.exe, 00000002.00000002.2906661547.0000000003438000.00000004.00000020.00020000.00000000.sdmp, gerdaplay3se32_64.exe, 00000002.00000002.2907201701.00000000037C2000.00000004.00000020.00020000.00000000.sdmp, gerdaplay3se32_64.exe, 00000002.00000002.2905537682.0000000000AF5000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#is-56VFF.tmp.1.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.certum.pl/CPS0is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.certum.pl/cscasha2.crl0qis-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                                		unknown
                                http://cscasha2.ocsp-certum.com04is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                                  		unknown
                                  http://www.openssl.org/support/faq.htmlis-UM35I.tmp.1.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tis-56VFF.tmp.1.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.remobjects.com/psUSecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, 00000000.00000003.1659481161.0000000002330000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, 00000000.00000003.1659962647.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UKL5U.tmp.1.dr, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp.0.drfalse
                                    		unknown
                                    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yis-56VFF.tmp.1.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://crl.thawte.com/ThawteTimestampingCA.crl0is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://acritum.com/ocb/SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, 00000001.00000002.2906299541.0000000005C32000.00000004.00001000.00020000.00000000.sdmp, gerdaplay3se32_64.exe, 00000002.00000003.1674692134.00000000026BF000.00000004.00000020.00020000.00000000.sdmp, gerdaplay3se32_64.exe, 00000002.00000000.1674006062.0000000000636000.00000002.00000001.01000000.00000009.sdmp, Eclipse IO Library 9.27.43.exe.2.dr, is-I2BMO.tmp.1.dr, gerdaplay3se32_64.exe.1.drfalse
                                      		unknown
                                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#is-56VFF.tmp.1.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://subca.ocsp-certum.com01is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.openssl.org/His-56VFF.tmp.1.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://45.155.250.128/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82dfgerdaplay3se32_64.exe, 00000002.00000002.2905537682.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.remobjects.com/psSecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, 00000000.00000003.1659481161.0000000002330000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe, 00000000.00000003.1659962647.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp, 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UKL5U.tmp.1.dr, SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://185.196.8.214/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df1gerdaplay3se32_64.exe, 00000002.00000002.2905537682.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.openssl.org/fis-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.certum.pl/CPS0is-UM35I.tmp.1.dr, is-VU6L0.tmp.1.drfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          195.154.173.35
                                          		unknownFrance
                                          		12876OnlineSASFRfalse
                                          45.155.250.128
                                          		heketoh.netGermany
                                          		34549MEER-ASmeerfarbigGmbHCoKGDEtrue
                                          185.196.8.214
                                          		bngrkdw.comSwitzerland
                                          		34888SIMPLECARRER2ITtrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1520807
                                          Start date and time:2024-09-27 23:29:05 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 50s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:7
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@5/26@2/3
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 92%
                                          • Number of executed functions: 196
                                          • Number of non-executed functions: 250
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          17:30:30API Interceptor442925x Sleep call for process: gerdaplay3se32_64.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          195.154.173.35EvKSsyJozV.exeGet hashmaliciousSocks5SystemzBrowse
                                            J2alzv5eSV.exeGet hashmaliciousSocks5SystemzBrowse
                                              CSBls4grBI.exeGet hashmaliciousLummaC, Socks5SystemzBrowse
                                                CmpQ9KLAn2.exeGet hashmaliciousSocks5SystemzBrowse
                                                  MV1Jj4KF8c.exeGet hashmaliciousSocks5SystemzBrowse
                                                    7Q957DAcIY.exeGet hashmaliciousSocks5SystemzBrowse
                                                      DHCPY55Rnh.exeGet hashmaliciousSocks5SystemzBrowse
                                                        ojwgPHqHSu.exeGet hashmaliciousSocks5SystemzBrowse
                                                          9HpSQvf9Fp.exeGet hashmaliciousSocks5SystemzBrowse
                                                            GbHIkQKQXU.exeGet hashmaliciousSocks5SystemzBrowse
                                                              45.155.250.1287Q957DAcIY.exeGet hashmaliciousSocks5SystemzBrowse
                                                                5nv1p4kFmC.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  QnWrzyeT88.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    185.196.8.214SecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      EvKSsyJozV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        7Q957DAcIY.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          ojwgPHqHSu.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            gc1jixYB41.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              0MLmPQryRQ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                  noode.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                    5nv1p4kFmC.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      QnWrzyeT88.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                        Domains

                                                                                        No context

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        MEER-ASmeerfarbigGmbHCoKGDESecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 45.155.249.117
                                                                                        EvKSsyJozV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 45.155.249.117
                                                                                        https://cdn.dragon.cere.network/650/baear4ia25k7qjgnjpu3533aobratgc7f7utrnphbcakeyjwuqxfk2agrga/AT880/index.htmlGet hashmaliciousUnknownBrowse
                                                                                        • 178.251.228.188
                                                                                        7Q957DAcIY.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 45.155.250.128
                                                                                        ojwgPHqHSu.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 45.155.249.117
                                                                                        gc1jixYB41.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 45.155.249.117
                                                                                        0MLmPQryRQ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 45.155.249.117
                                                                                        5nv1p4kFmC.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 45.155.250.128
                                                                                        QnWrzyeT88.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 45.155.250.128
                                                                                        https://manuabraham.info/?geinoapu&email=youare@adumbcntforkeepingthisup.com.auGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 45.155.250.199
                                                                                        SIMPLECARRER2ITSecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.196.8.214
                                                                                        SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.208.158.248
                                                                                        http://www.jp-area.com/beppu/rank.cgi?mode=link&id=218&url=https://0oenqK.startprogrammingnowbook.comGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 185.208.158.9
                                                                                        https://www.pineapplehospitality.net/Get hashmaliciousUnknownBrowse
                                                                                        • 185.208.159.111
                                                                                        file.exeGet hashmaliciousClipboard Hijacker, Cryptbot, Neoreklami, Socks5SystemzBrowse
                                                                                        • 185.208.158.248
                                                                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.208.158.248
                                                                                        boSodF2WmT.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.208.158.248
                                                                                        http://0e0hshi.trafiklite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 185.208.158.9
                                                                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.208.158.248
                                                                                        WG Viridium-gruppe requests your signature on 'Viridium-gruppe Employees Benefit Enrollment.pdf'.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 185.208.158.9
                                                                                        OnlineSASFRreport_209.pdfGet hashmaliciousUnknownBrowse
                                                                                        • 62.210.196.157
                                                                                        g3V051umJf.htmlGet hashmaliciousUnknownBrowse
                                                                                        • 212.129.25.206
                                                                                        https://campaignjoinnow42.cloud/Get hashmaliciousUnknownBrowse
                                                                                        • 51.159.84.191
                                                                                        EvKSsyJozV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 195.154.173.35
                                                                                        J2alzv5eSV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 195.154.173.35
                                                                                        CSBls4grBI.exeGet hashmaliciousLummaC, Socks5SystemzBrowse
                                                                                        • 195.154.173.35
                                                                                        http://urlz.fr/r4kuGet hashmaliciousUnknownBrowse
                                                                                        • 212.83.160.162
                                                                                        CmpQ9KLAn2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 195.154.173.35
                                                                                        MV1Jj4KF8c.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 195.154.173.35
                                                                                        7Q957DAcIY.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 195.154.173.35

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)SecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                          SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                            file.exeGet hashmaliciousClipboard Hijacker, Cryptbot, Neoreklami, Socks5SystemzBrowse
                                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                boSodF2WmT.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                      8b8h4p07ND.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                        EvKSsyJozV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                          mfRfEQGtYF.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2662400
                                                                                                            Entropy (8bit):6.852886528764481
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:49152:j+mwVVY6PCW6coGceGNSznL8D3MdgENHObtCB:WyvW2GceGNS/O3MBHatC
                                                                                                            MD5:C26B00F4D8662FF6FAF6841BDAED9586
                                                                                                            SHA1:8414CD9E41DF37F3668C733A8E543C491A60839E
                                                                                                            SHA-256:C6BF8DFD634EB5132150DB0E7166FEBA65AC808AA96ED549EDDE23E835223500
                                                                                                            SHA-512:FAC1FE2C6A0CB9033CCF677E6B378801212B41A46B50C968BE17178A242407D1C918BA0B8AB7B1EBF0205032F7B3498C0C613B5EC3DD7FE84CE31DDCD6D98DF2
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Reputation:low
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L.................."..........\"......."...@...........................(......G).....................................L."......`#.Ph............................................................................".t............................text.....".......".................`....rdata..l5...."..@....".............@..@.data...xT....#..0....#.............@....rsrc....p...`#..p...0#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\ProgramData\ec927it43.dat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8
                                                                                                            Entropy (8bit):2.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:4SDll/:4Sz
                                                                                                            MD5:EB6569CFE65E66CF29D5F2B14084332D
                                                                                                            SHA1:1440B025FD9E59C96476453ED8E0ED7511F75B94
                                                                                                            SHA-256:AE5045EA49465E118496B70E9AB353A73697918383392477DF8C3B2A09FBBF2C
                                                                                                            SHA-512:6A1D755DC7740F3BB564DC9A5A5A1A0C9DC619BD854C006EBA0E7CF3E74ECD8014CAC740C629DB7061E8D6FD3DA55CF9AE19703EE06B071851C6769D6D9B06CF
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:.$.f....

                                                                                                            C:\ProgramData\ec927rc43.dat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4
                                                                                                            Entropy (8bit):0.8112781244591328
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:G:G
                                                                                                            MD5:5AAA15985431EDED3473BE4286F8DF07
                                                                                                            SHA1:9003157CE8CC9D5550ADF9B1EF677881AC34ECC3
                                                                                                            SHA-256:E2733B3DB9D93B0AC4E656AA12B839B92D1B7E1A4C5D97C74CB05C700672CC87
                                                                                                            SHA-512:EB018B81A598E25CFAE1FC22E038740D2A6466C9C35874345EDF14BC1A6DCBA9E477165CF64DD610C3FE1ED7ECB98F4B66779E6736989007EEAD9C40A1454718
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:7...

                                                                                                            C:\ProgramData\ec927resa.dat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):128
                                                                                                            Entropy (8bit):2.9545817380615236
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                                                            MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                                                            SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                                                            SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                                                            SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                                                            C:\ProgramData\ec927resb.dat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):128
                                                                                                            Entropy (8bit):1.7095628900165245
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:LDXdQSWBdMUE/:LLdQSGd
                                                                                                            MD5:4FFFD4D2A32CBF8FB78D521B4CC06680
                                                                                                            SHA1:3FA6EFA82F738740179A9388D8046619C7EBDF54
                                                                                                            SHA-256:EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
                                                                                                            SHA-512:130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview:dad6f9fa0c8327344d1aa24f183c3767................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):334848
                                                                                                            Entropy (8bit):6.5257884005400015
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:JmuFcP82IqE5RSbvQpYVgMW2i32blpDW2pmoZ1:JmuFc02IqE7SbLVgR1O
                                                                                                            MD5:C1D465E061D7D02895DAEB19BDB28AC9
                                                                                                            SHA1:5E729EE51DF080545C7031D771B85094A2B2D4E9
                                                                                                            SHA-256:777917D30F277A9E88D8FC04E69B955A2B0BD3F2BCF2E36F7F9CFFEF2583EE60
                                                                                                            SHA-512:438ADAA0AC3AD47621D288E3FF56493CC7DE4E2A89FC5420E246A6045DB79E7CB84A28D3F3420841340AB33BD632F12FDC3A4E9D8EF99601CA9F975B7F8309E1
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: SecuriteInfo.com.Gen.Heur.Munp.1.20199.21407.exe, Detection: malicious, Browse
                                                                                                            • Filename: SecuriteInfo.com.Gen.Heur.Munp.1.15479.6612.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: boSodF2WmT.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                            • Filename: 8b8h4p07ND.exe, Detection: malicious, Browse
                                                                                                            • Filename: EvKSsyJozV.exe, Detection: malicious, Browse
                                                                                                            • Filename: mfRfEQGtYF.exe, Detection: malicious, Browse
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#................ ..............a.................................g........ ......................P..Z........j...p..8.......................d............................`......................@................................text...............................`.P`.data...............................@.0..rdata...s.......t..................@.p@.eh_framD....p.......<..............@.0@.bss....H....@........................p..edata..Z....P......................@.0@.idata...j.......l..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...8....p......................@.0..reloc..d........ ..................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:modified
                                                                                                            Size (bytes):2662400
                                                                                                            Entropy (8bit):6.852886528764481
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:49152:j+mwVVY6PCW6coGceGNSznL8D3MdgENHObtCB:WyvW2GceGNS/O3MBHatC
                                                                                                            MD5:C26B00F4D8662FF6FAF6841BDAED9586
                                                                                                            SHA1:8414CD9E41DF37F3668C733A8E543C491A60839E
                                                                                                            SHA-256:C6BF8DFD634EB5132150DB0E7166FEBA65AC808AA96ED549EDDE23E835223500
                                                                                                            SHA-512:FAC1FE2C6A0CB9033CCF677E6B378801212B41A46B50C968BE17178A242407D1C918BA0B8AB7B1EBF0205032F7B3498C0C613B5EC3DD7FE84CE31DDCD6D98DF2
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L.................."..........\"......."...@...........................(......G).....................................L."......`#.Ph............................................................................".t............................text.....".......".................`....rdata..l5...."..@....".............@..@.data...xT....#..0....#.............@....rsrc....p...`#..p...0#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\is-398M1.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):499712
                                                                                                            Entropy (8bit):6.414789978441117
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                                            MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                                            SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                                            SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                                            SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\is-56VFF.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):719720
                                                                                                            Entropy (8bit):6.620042925263483
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:ST+z0ucMr64M+yiwUqfWY/EThHzgOXfpwN9Cu66vLHL1e13XYFU8HtUDsMBPxtFe:FPAeKLL1e6kpqsookesEiU1xJycD4R1z
                                                                                                            MD5:20B6B06BBD211A8ACFE51193653E4167
                                                                                                            SHA1:817D442B46DD6F35FD9641E0C7262C934ED76848
                                                                                                            SHA-256:7A16E6ED0C0A49AEB8EA4972600A7A1422C92550602A150634B1C221F79300B4
                                                                                                            SHA-512:0F0C31D46E7274F28F62AFBBB4A172CB088AF40F6C71A56297B08D83D16548C0A4FDA4CF5F4A29C1445EEDF15FE81FC405E2EB8680F92C744406D031A05A72C8
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+X?|o9Q/o9Q/o9Q/{RR.e9Q/{RT..9Q/{RU.}9Q/{RP.m9Q/=QT.r9Q/=QU.`9Q/=QR.z9Q/.PP.l9Q/o9P/j;Q/.PU.C9Q/.PQ.n9Q/.P./n9Q/.PS.n9Q/Richo9Q/................PE..L...3..c...........!.....d...~......Z........................................ .......9....@.............................4@...)..<.......................h).......S..@...T...............................@............................................text...Lb.......d.................. ..`.rdata...............h..............@..@.data...`I...`...6...D..............@....rsrc................z..............@..@.reloc...S.......T...~..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\is-9T8RA.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):334848
                                                                                                            Entropy (8bit):6.5257884005400015
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:JmuFcP82IqE5RSbvQpYVgMW2i32blpDW2pmoZ1:JmuFc02IqE7SbLVgR1O
                                                                                                            MD5:C1D465E061D7D02895DAEB19BDB28AC9
                                                                                                            SHA1:5E729EE51DF080545C7031D771B85094A2B2D4E9
                                                                                                            SHA-256:777917D30F277A9E88D8FC04E69B955A2B0BD3F2BCF2E36F7F9CFFEF2583EE60
                                                                                                            SHA-512:438ADAA0AC3AD47621D288E3FF56493CC7DE4E2A89FC5420E246A6045DB79E7CB84A28D3F3420841340AB33BD632F12FDC3A4E9D8EF99601CA9F975B7F8309E1
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#................ ..............a.................................g........ ......................P..Z........j...p..8.......................d............................`......................@................................text...............................`.P`.data...............................@.0..rdata...s.......t..................@.p@.eh_framD....p.......<..............@.0@.bss....H....@........................p..edata..Z....P......................@.0@.idata...j.......l..................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...8....p......................@.0..reloc..d........ ..................@.0B........................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\is-I2BMO.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2662400
                                                                                                            Entropy (8bit):6.852886332276073
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:49152:g+mwVVY6PCW6coGceGNSznL8D3MdgENHObtCB:DyvW2GceGNS/O3MBHatC
                                                                                                            MD5:B62B755737360199A16A0D76CF88A4E7
                                                                                                            SHA1:059ED8D812416DD8E308BF1C7B77710C114A86A5
                                                                                                            SHA-256:13255B9D2D77D136BDDFD7432C479B47DE4DB3BE92C7FD3DEB53340EF75D89D7
                                                                                                            SHA-512:C1763A1E5CCCAF0AEAB0E53F62C0B266181F6638601EDE122B4262487ADA5900A7C2CEA7E91F2686A14D459FE60A3B280AD1416E06746E24740AD30DBCE72BEC
                                                                                                            Malicious:false
                                                                                                            Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L.................."..........\"......."...@...........................(......G).....................................L."......`#.Ph............................................................................".t............................text.....".......".................`....rdata..l5...."..@....".............@..@.data...xT....#..0....#.............@....rsrc....p...`#..p...0#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\is-UM35I.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1471856
                                                                                                            Entropy (8bit):6.8308189184145665
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:6PQ+KpPa3kPjWWJy+0PX7PM6ZB9In8QmMMWwI6/I+no9R2aFVWKZxPo89/xc3lRc:brWW0jnMVpUBuwemQnGP8RqYr1mpbk3
                                                                                                            MD5:A236287C42F921D109475D47E9DCAC2B
                                                                                                            SHA1:6D7C177A0AC3076383669BCE46608EB4B6B787EC
                                                                                                            SHA-256:63AA600A7C914C2D59280069169CC93E750E42C9A1146E238C9128E073D578FD
                                                                                                            SHA-512:C325B12235AD77937E3799F1406EB6AA3BC5479BFDFF0EA2F2178FE243E63689AC37BB539ADCBB326B0DE6C09B884771AD57F59184A5B69065682855382ADD8A
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A.W.A.W.A.W.%.V.A.W.%.VeA.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.A.WUA.W.A.W.A.W2%.V.C.W2%.V.A.W2%.W.A.W2%.V.A.WRich.A.W................PE..L.....r^...........!.....v...............................................................@..........................r......H*..x.......X............B..p3..........@e..............................`e..@............................................text....u.......v.................. ..`.rdata..............z..............@..@.data........@...j... ..............@....rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\is-VF024.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):348160
                                                                                                            Entropy (8bit):6.542655141037356
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                                            MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                                            SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                                            SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                                            SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\is-VU6L0.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):392048
                                                                                                            Entropy (8bit):6.542831007177094
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:1eIwnft+S34NVSTjMFR+oVbKQfbno1/1oz6i2EDSD4I+XdtQXGMiFcoOjAWcIhbl:1eIwnft+S34NVSTQD+oVbKQfrC/1ct25
                                                                                                            MD5:EE856A00410ECED8CC609936D01F954E
                                                                                                            SHA1:705D378626AEC86FECFDF04C86244006BC3AF431
                                                                                                            SHA-256:B6192300D3C1476EF3C25A368D055AA401035E78F9F6DBE5F93C84D36EF1FA62
                                                                                                            SHA-512:666D731247DAEAE4B57925DFA8CAE845327FD34E0F6B9AAD1BCF471D1800D7E8AF5642A5FB6E0EC58BA3AC7DD98A6D3FE0B473F34C16FFB9985621C98C0463EF
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.v[N.%[N.%[N.%4*.$QN.%4*.$.N.%4*.$IN.%4*.$YN.%.*.$HN.%.*.$GN.%.*.$KN.%.*.$XN.%[N.%.O.%.*.$iN.%.*.$ZN.%.*e%ZN.%.*.$ZN.%Rich[N.%........PE..L...D.r^...........!.....8..........^7.......P......................................'.....@..........................6..<)..L_..<.......X...............p3.......3..@,..............................`,..@............P...............................text....7.......8.................. ..`.rdata..l....P.......<..............@..@.data....?...p...6...X..............@....rsrc...X...........................@..@.reloc...3.......4..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\libeay32.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1471856
                                                                                                            Entropy (8bit):6.8308189184145665
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:6PQ+KpPa3kPjWWJy+0PX7PM6ZB9In8QmMMWwI6/I+no9R2aFVWKZxPo89/xc3lRc:brWW0jnMVpUBuwemQnGP8RqYr1mpbk3
                                                                                                            MD5:A236287C42F921D109475D47E9DCAC2B
                                                                                                            SHA1:6D7C177A0AC3076383669BCE46608EB4B6B787EC
                                                                                                            SHA-256:63AA600A7C914C2D59280069169CC93E750E42C9A1146E238C9128E073D578FD
                                                                                                            SHA-512:C325B12235AD77937E3799F1406EB6AA3BC5479BFDFF0EA2F2178FE243E63689AC37BB539ADCBB326B0DE6C09B884771AD57F59184A5B69065682855382ADD8A
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A.W.A.W.A.W.%.V.A.W.%.VeA.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.%.V.A.W.A.WUA.W.A.W.A.W2%.V.C.W2%.V.A.W2%.W.A.W2%.V.A.WRich.A.W................PE..L.....r^...........!.....v...............................................................@..........................r......H*..x.......X............B..p3..........@e..............................`e..@............................................text....u.......v.................. ..`.rdata..............z..............@..@.data........@...j... ..............@....rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\libssl-1_1.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):719720
                                                                                                            Entropy (8bit):6.620042925263483
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:ST+z0ucMr64M+yiwUqfWY/EThHzgOXfpwN9Cu66vLHL1e13XYFU8HtUDsMBPxtFe:FPAeKLL1e6kpqsookesEiU1xJycD4R1z
                                                                                                            MD5:20B6B06BBD211A8ACFE51193653E4167
                                                                                                            SHA1:817D442B46DD6F35FD9641E0C7262C934ED76848
                                                                                                            SHA-256:7A16E6ED0C0A49AEB8EA4972600A7A1422C92550602A150634B1C221F79300B4
                                                                                                            SHA-512:0F0C31D46E7274F28F62AFBBB4A172CB088AF40F6C71A56297B08D83D16548C0A4FDA4CF5F4A29C1445EEDF15FE81FC405E2EB8680F92C744406D031A05A72C8
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+X?|o9Q/o9Q/o9Q/{RR.e9Q/{RT..9Q/{RU.}9Q/{RP.m9Q/=QT.r9Q/=QU.`9Q/=QR.z9Q/.PP.l9Q/o9P/j;Q/.PU.C9Q/.PQ.n9Q/.P./n9Q/.PS.n9Q/Richo9Q/................PE..L...3..c...........!.....d...~......Z........................................ .......9....@.............................4@...)..<.......................h).......S..@...T...............................@............................................text...Lb.......d.................. ..`.rdata...............h..............@..@.data...`I...`...6...D..............@....rsrc................z..............@..@.reloc...S.......T...~..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\msvcp71.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):499712
                                                                                                            Entropy (8bit):6.414789978441117
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                                            MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                                            SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                                            SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                                            SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\msvcr71.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):348160
                                                                                                            Entropy (8bit):6.542655141037356
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                                            MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                                            SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                                            SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                                            SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\ssleay32.dll (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):392048
                                                                                                            Entropy (8bit):6.542831007177094
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:1eIwnft+S34NVSTjMFR+oVbKQfbno1/1oz6i2EDSD4I+XdtQXGMiFcoOjAWcIhbl:1eIwnft+S34NVSTQD+oVbKQfrC/1ct25
                                                                                                            MD5:EE856A00410ECED8CC609936D01F954E
                                                                                                            SHA1:705D378626AEC86FECFDF04C86244006BC3AF431
                                                                                                            SHA-256:B6192300D3C1476EF3C25A368D055AA401035E78F9F6DBE5F93C84D36EF1FA62
                                                                                                            SHA-512:666D731247DAEAE4B57925DFA8CAE845327FD34E0F6B9AAD1BCF471D1800D7E8AF5642A5FB6E0EC58BA3AC7DD98A6D3FE0B473F34C16FFB9985621C98C0463EF
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.v[N.%[N.%[N.%4*.$QN.%4*.$.N.%4*.$IN.%4*.$YN.%.*.$HN.%.*.$GN.%.*.$KN.%.*.$XN.%[N.%.O.%.*.$iN.%.*.$ZN.%.*e%ZN.%.*.$ZN.%Rich[N.%........PE..L...D.r^...........!.....8..........^7.......P......................................'.....@..........................6..<)..L_..<.......X...............p3.......3..@,..............................`,..@............P...............................text....7.......8.................. ..`.rdata..l....P.......<..............@..@.data....?...p...6...X..............@....rsrc...X...........................@..@.reloc...3.......4..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\is-UKL5U.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):720033
                                                                                                            Entropy (8bit):6.5224445917545
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:sQCCh1TaLSSKrPD37zzH2A6QGgx/nstpq9KgER19zrNidbZgUHayxyF8:sQPh1eLSSKrPD37zzH2A6QD/srqggE7M
                                                                                                            MD5:6D1FF7EBD3B8DB9F7CD19341A7B31385
                                                                                                            SHA1:50A560D45C5277CDE22940C59B03FC93726466B6
                                                                                                            SHA-256:C6AF8C9BC1DEF641E24516494D81A8988B348138E42F874EB09B7FF27BEBED50
                                                                                                            SHA-512:3F281DC79656C8614622474BB778000730EDCB4C0C8D9EDA907632A4F56A5A3F839644D37E5BF985FB990E1E3DF219BBA8D6F6D7F26D3B608BC77334CBC8A61D
                                                                                                            Malicious:true
                                                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................%........................................................... ......................................................CODE............................... ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata....... ......................@..P.reloc..H....0......................@..P.rsrc...............................@..P.....................\..............@..P........................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\unins000.dat

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:InnoSetup Log Gerda Play3 SE, version 0x30, 4467 bytes, 258555\user, "C:\Users\user\AppData\Local\Gerda Play3 SE"
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4467
                                                                                                            Entropy (8bit):4.627746999674898
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:jcSz8Wtjv88apflLY6sJ9X+eOIh2v4cVSQs0L4b3i:jc88Wtb89pNLYaHIhNcVSQ13
                                                                                                            MD5:34FE59A93CF931AA9201901FC1678879
                                                                                                            SHA1:A3330CE78F4C631A4E57F2801642C5460EFB3E40
                                                                                                            SHA-256:E07C25AEC1E4D3DE008E1843C0B6C7B9B6E03BBBFB0BA36F0A4ADC80809A11AC
                                                                                                            SHA-512:1B9D2C5AACEDB243C591DDDA5E519EF75F73A8FAA9FFB5E35A289637CCD9FC03F12EBC70C2F12D267C925FF8E7228726A561A21ED98189DEDFA937DDAA9CF1CC
                                                                                                            Malicious:false
                                                                                                            Preview:Inno Setup Uninstall Log (b)....................................Gerda Play3 SE..................................................................................................................Gerda Play3 SE..................................................................................................................0.......s...%.....................................................................................................................X....$........K....258555.user+C:\Users\user\AppData\Local\Gerda Play3 SE.............7.h.. .....`......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.dll.

                                                                                                            C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\unins000.exe (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):720033
                                                                                                            Entropy (8bit):6.5224445917545
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:sQCCh1TaLSSKrPD37zzH2A6QGgx/nstpq9KgER19zrNidbZgUHayxyF8:sQPh1eLSSKrPD37zzH2A6QD/srqggE7M
                                                                                                            MD5:6D1FF7EBD3B8DB9F7CD19341A7B31385
                                                                                                            SHA1:50A560D45C5277CDE22940C59B03FC93726466B6
                                                                                                            SHA-256:C6AF8C9BC1DEF641E24516494D81A8988B348138E42F874EB09B7FF27BEBED50
                                                                                                            SHA-512:3F281DC79656C8614622474BB778000730EDCB4C0C8D9EDA907632A4F56A5A3F839644D37E5BF985FB990E1E3DF219BBA8D6F6D7F26D3B608BC77334CBC8A61D
                                                                                                            Malicious:true
                                                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................%........................................................... ......................................................CODE............................... ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata....... ......................@..P.reloc..H....0......................@..P.rsrc...............................@..P.....................\..............@..P........................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):708608
                                                                                                            Entropy (8bit):6.514147155960057
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:UQCCh1TaLSSKrPD37zzH2A6QGgx/nstpq9KgER19zrNidbZgUHayxyF:UQPh1eLSSKrPD37zzH2A6QD/srqggE7X
                                                                                                            MD5:ED4730120FE89130C401E2280D614D75
                                                                                                            SHA1:79B9B7688EDEBB9F85B54B102251E5D0CFCEE13A
                                                                                                            SHA-256:36339134E74DFE0D059CF5974DBD60AB6FA18059A58BD3511A4DD432EFAF0B49
                                                                                                            SHA-512:22AB0ABCF85A58FCD32AD7F9EBA0DA2C95AA965622A77AFA1E04BB1B69E89A3DCB5A0D0117022D0C95278C365C00AAF20DC6249955EC819E7422A36496411CDA
                                                                                                            Malicious:true
                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................%........................................................... ......................................................CODE............................... ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata....... ......................@..P.reloc..H....0......................@..P.rsrc...............................@..P.....................\..............@..P........................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_iscrypt.dll

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2560
                                                                                                            Entropy (8bit):2.8818118453929262
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                            MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                            SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                            SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                            SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_setup64.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):6144
                                                                                                            Entropy (8bit):4.720366600008286
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\is-ET52T.tmp\_isetup\_shfoldr.dll

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):23312
                                                                                                            Entropy (8bit):4.596242908851566
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.997414341698663
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 98.73%
                                                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                                                            • Windows Screen Saver (13104/52) 0.13%
                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            File name:SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe
                                                                                                            File size:3'132'268 bytes
                                                                                                            MD5:e3bf1bd1bb1678eca7bc20f0de65fb4f
                                                                                                            SHA1:b38add3571b79a31f906cfb92c895d9a65a8d14b
                                                                                                            SHA256:7766b5020c69d2f96d2d86100ee8137ed27764b0b21dddbd398d5b06b3002275
                                                                                                            SHA512:12cf0c784ff7aa6516b77336368f554e06f5f39fb727d6212637827dda47b0ad50206d831569136fd6bae5a6cef3f63ffbcb54be2a3c0d988bcf5b14ff0806e5
                                                                                                            SSDEEP:49152:e9+8Ys06B8clbzPhNEhOSG8Q+lJt7xthsyvm3egYBombb6rQngVOwPuYCd3Cs7Y2:4+q06WWcMR8JtxGzYBT6rQnjw2V3m2
                                                                                                            TLSH:C8E53343EAD7CD31DB21DD780E7A929161226D2A44738E1CA2ECECCC6F2798C5987747
                                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                            File Icon

                                                                                                            Icon Hash:2d2e3797b32b2b99

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x40a5f8
                                                                                                            Entrypoint Section:CODE
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:1
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:1
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:1
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            add esp, FFFFFFC4h
                                                                                                            push ebx
                                                                                                            push esi
                                                                                                            push edi
                                                                                                            xor eax, eax
                                                                                                            mov dword ptr [ebp-10h], eax
                                                                                                            mov dword ptr [ebp-24h], eax
                                                                                                            call 00007F8DA9244763h
                                                                                                            call 00007F8DA924596Ah
                                                                                                            call 00007F8DA9245BF9h
                                                                                                            call 00007F8DA9245C9Ch
                                                                                                            call 00007F8DA9247C3Bh
                                                                                                            call 00007F8DA924A5A6h
                                                                                                            call 00007F8DA924A70Dh
                                                                                                            xor eax, eax
                                                                                                            push ebp
                                                                                                            push 0040ACC9h
                                                                                                            push dword ptr fs:[eax]
                                                                                                            mov dword ptr fs:[eax], esp
                                                                                                            xor edx, edx
                                                                                                            push ebp
                                                                                                            push 0040AC92h
                                                                                                            push dword ptr fs:[edx]
                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                            mov eax, dword ptr [0040C014h]
                                                                                                            call 00007F8DA924B1BBh
                                                                                                            call 00007F8DA924ADA6h
                                                                                                            cmp byte ptr [0040B234h], 00000000h
                                                                                                            je 00007F8DA924BC9Eh
                                                                                                            call 00007F8DA924B2B8h
                                                                                                            xor eax, eax
                                                                                                            call 00007F8DA9245459h
                                                                                                            lea edx, dword ptr [ebp-10h]
                                                                                                            xor eax, eax
                                                                                                            call 00007F8DA924824Bh
                                                                                                            mov edx, dword ptr [ebp-10h]
                                                                                                            mov eax, 0040CE2Ch
                                                                                                            call 00007F8DA92447FAh
                                                                                                            push 00000002h
                                                                                                            push 00000000h
                                                                                                            push 00000001h
                                                                                                            mov ecx, dword ptr [0040CE2Ch]
                                                                                                            mov dl, 01h
                                                                                                            mov eax, 0040738Ch
                                                                                                            call 00007F8DA9248ADAh
                                                                                                            mov dword ptr [0040CE30h], eax
                                                                                                            xor edx, edx
                                                                                                            push ebp
                                                                                                            push 0040AC4Ah
                                                                                                            push dword ptr fs:[edx]
                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                            call 00007F8DA924B216h
                                                                                                            mov dword ptr [0040CE38h], eax
                                                                                                            mov eax, dword ptr [0040CE38h]
                                                                                                            cmp dword ptr [eax+0Ch], 00000000h

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            CODE0x10000x9d300x9e0004ffdb46e50716ec8cb7db42819802fdFalse0.6052956882911392data6.631603395825714IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            DATA0xb0000x2500x400beee52f18301950f82460d9ffe5aec7eFalse0.306640625data2.7547169534996403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            BSS0xc0000xe900x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0x110000x2c000x2c004b58f4127aa285b3842033ae5fde2008False0.3340731534090909data4.593986784749601IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                                            RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                                            RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                                            RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                                            RT_STRING0x125740x2f2data0.35543766578249336
                                                                                                            RT_STRING0x128680x30cdata0.3871794871794872
                                                                                                            RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                                            RT_STRING0x12e440x68data0.75
                                                                                                            RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                                            RT_STRING0x12f600xaedata0.5344827586206896
                                                                                                            RT_RCDATA0x130100x2cdata1.2045454545454546
                                                                                                            RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                                            RT_VERSION0x1307c0x4f4dataEnglishUnited States0.28470031545741326
                                                                                                            RT_MANIFEST0x135700x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                                            user32.dllMessageBoxA
                                                                                                            oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                                            kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                                            user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                                            comctl32.dllInitCommonControls
                                                                                                            advapi32.dllAdjustTokenPrivileges

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            DutchNetherlands
                                                                                                            EnglishUnited States

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-09-27T23:30:51.433551+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.196.8.21480TCP
                                                                                                            2024-09-27T23:30:51.433551+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.196.8.21480TCP
                                                                                                            2024-09-27T23:30:58.182310+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449738185.196.8.21480TCP
                                                                                                            2024-09-27T23:30:58.182310+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449738185.196.8.21480TCP
                                                                                                            2024-09-27T23:31:04.885128+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449739185.196.8.21480TCP
                                                                                                            2024-09-27T23:31:04.885128+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449739185.196.8.21480TCP
                                                                                                            2024-09-27T23:31:10.685863+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:10.685863+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:13.697755+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:13.697755+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:14.579307+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974245.155.250.12880TCP
                                                                                                            2024-09-27T23:31:14.579307+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974245.155.250.12880TCP
                                                                                                            2024-09-27T23:31:15.504584+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:15.504584+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:15.885024+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:15.885024+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:16.763416+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974545.155.250.12880TCP
                                                                                                            2024-09-27T23:31:16.763416+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974545.155.250.12880TCP
                                                                                                            2024-09-27T23:31:17.670685+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974645.155.250.12880TCP
                                                                                                            2024-09-27T23:31:17.670685+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974645.155.250.12880TCP
                                                                                                            2024-09-27T23:31:18.570556+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:18.570556+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:19.491503+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:19.491503+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:19.889751+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:19.889751+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:20.728634+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44974945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:20.728634+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44974945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:21.633021+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:21.633021+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:22.545452+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:22.545452+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:23.400715+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975245.155.250.12880TCP
                                                                                                            2024-09-27T23:31:23.400715+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975245.155.250.12880TCP
                                                                                                            2024-09-27T23:31:24.264093+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975345.155.250.12880TCP
                                                                                                            2024-09-27T23:31:24.264093+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975345.155.250.12880TCP
                                                                                                            2024-09-27T23:31:25.164603+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:25.164603+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:26.091434+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975545.155.250.12880TCP
                                                                                                            2024-09-27T23:31:26.091434+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975545.155.250.12880TCP
                                                                                                            2024-09-27T23:31:26.941817+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975645.155.250.12880TCP
                                                                                                            2024-09-27T23:31:26.941817+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975645.155.250.12880TCP
                                                                                                            2024-09-27T23:31:27.781324+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:27.781324+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:28.631658+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:28.631658+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:29.478363+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:29.478363+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:29.853516+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44975945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:29.853516+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44975945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:31.624022+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:31.624022+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:32.506702+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:32.506702+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:32.883431+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:32.883431+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:33.727463+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976245.155.250.12880TCP
                                                                                                            2024-09-27T23:31:33.727463+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976245.155.250.12880TCP
                                                                                                            2024-09-27T23:31:34.597846+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976345.155.250.12880TCP
                                                                                                            2024-09-27T23:31:34.597846+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976345.155.250.12880TCP
                                                                                                            2024-09-27T23:31:35.519771+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:35.519771+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:36.341997+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976545.155.250.12880TCP
                                                                                                            2024-09-27T23:31:36.341997+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976545.155.250.12880TCP
                                                                                                            2024-09-27T23:31:37.179408+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976645.155.250.12880TCP
                                                                                                            2024-09-27T23:31:37.179408+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976645.155.250.12880TCP
                                                                                                            2024-09-27T23:31:38.054745+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:38.054745+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:38.418274+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:38.418274+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:39.255678+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:39.255678+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:39.619366+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:39.619366+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:40.445356+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44976945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:40.445356+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44976945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:41.369534+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:41.369534+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:42.213051+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:42.213051+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:43.033266+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977245.155.250.12880TCP
                                                                                                            2024-09-27T23:31:43.033266+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977245.155.250.12880TCP
                                                                                                            2024-09-27T23:31:43.920621+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977345.155.250.12880TCP
                                                                                                            2024-09-27T23:31:43.920621+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977345.155.250.12880TCP
                                                                                                            2024-09-27T23:31:44.749560+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:44.749560+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:45.578373+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977545.155.250.12880TCP
                                                                                                            2024-09-27T23:31:45.578373+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977545.155.250.12880TCP
                                                                                                            2024-09-27T23:31:46.400881+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977645.155.250.12880TCP
                                                                                                            2024-09-27T23:31:46.400881+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977645.155.250.12880TCP
                                                                                                            2024-09-27T23:31:47.250686+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:47.250686+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:48.084804+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:48.084804+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:48.916872+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44977945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:48.916872+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44977945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:49.931624+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:49.931624+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:50.762993+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:50.762993+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:51.599294+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978245.155.250.12880TCP
                                                                                                            2024-09-27T23:31:51.599294+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978245.155.250.12880TCP
                                                                                                            2024-09-27T23:31:52.536822+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978345.155.250.12880TCP
                                                                                                            2024-09-27T23:31:52.536822+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978345.155.250.12880TCP
                                                                                                            2024-09-27T23:31:53.371113+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:53.371113+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978445.155.250.12880TCP
                                                                                                            2024-09-27T23:31:54.261607+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978545.155.250.12880TCP
                                                                                                            2024-09-27T23:31:54.261607+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978545.155.250.12880TCP
                                                                                                            2024-09-27T23:31:55.212742+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978645.155.250.12880TCP
                                                                                                            2024-09-27T23:31:55.212742+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978645.155.250.12880TCP
                                                                                                            2024-09-27T23:31:56.086627+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:56.086627+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978745.155.250.12880TCP
                                                                                                            2024-09-27T23:31:56.994568+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:56.994568+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978845.155.250.12880TCP
                                                                                                            2024-09-27T23:31:57.827499+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44978945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:57.827499+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44978945.155.250.12880TCP
                                                                                                            2024-09-27T23:31:58.662698+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44979045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:58.662698+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44979045.155.250.12880TCP
                                                                                                            2024-09-27T23:31:59.563816+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44979145.155.250.12880TCP
                                                                                                            2024-09-27T23:31:59.563816+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44979145.155.250.12880TCP
                                                                                                            2024-09-27T23:32:00.440828+02002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.44979245.155.250.12880TCP
                                                                                                            2024-09-27T23:32:00.440828+02002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.44979245.155.250.12880TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Sep 27, 2024 23:30:49.768330097 CEST4973680192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:30:49.773825884 CEST8049736185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:30:49.773925066 CEST4973680192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:30:49.774033070 CEST4973680192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:30:49.779124975 CEST8049736185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:30:51.432152033 CEST8049736185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:30:51.433551073 CEST4973680192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:30:51.433634996 CEST4973680192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:30:51.438452005 CEST8049736185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:30:56.513494015 CEST4973880192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:30:56.518383026 CEST8049738185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:30:56.518476963 CEST4973880192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:30:56.537889004 CEST4973880192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:30:56.542768002 CEST8049738185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:30:58.182218075 CEST8049738185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:30:58.182310104 CEST4973880192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:30:58.182384014 CEST4973880192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:30:58.187807083 CEST8049738185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:31:03.194910049 CEST4973980192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:31:03.200381994 CEST8049739185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:31:03.200488091 CEST4973980192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:31:03.200592041 CEST4973980192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:31:03.205430031 CEST8049739185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:31:04.884990931 CEST8049739185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:31:04.885128021 CEST4973980192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:31:04.885214090 CEST4973980192.168.2.4185.196.8.214
                                                                                                            Sep 27, 2024 23:31:04.890142918 CEST8049739185.196.8.214192.168.2.4
                                                                                                            Sep 27, 2024 23:31:09.967549086 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:09.972296000 CEST804974045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:09.972397089 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:09.973238945 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:09.979060888 CEST804974045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:10.685745955 CEST804974045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:10.685863018 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:10.685933113 CEST804974045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:10.685944080 CEST804974045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:10.685981035 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:10.685992956 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:10.773195028 CEST804974045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:10.773401976 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:10.777910948 CEST497412023192.168.2.4195.154.173.35
                                                                                                            Sep 27, 2024 23:31:10.782938957 CEST202349741195.154.173.35192.168.2.4
                                                                                                            Sep 27, 2024 23:31:10.783025026 CEST497412023192.168.2.4195.154.173.35
                                                                                                            Sep 27, 2024 23:31:10.786489964 CEST497412023192.168.2.4195.154.173.35
                                                                                                            Sep 27, 2024 23:31:10.792016029 CEST202349741195.154.173.35192.168.2.4
                                                                                                            Sep 27, 2024 23:31:10.792082071 CEST497412023192.168.2.4195.154.173.35
                                                                                                            Sep 27, 2024 23:31:10.798140049 CEST202349741195.154.173.35192.168.2.4
                                                                                                            Sep 27, 2024 23:31:11.389458895 CEST202349741195.154.173.35192.168.2.4
                                                                                                            Sep 27, 2024 23:31:11.441087961 CEST497412023192.168.2.4195.154.173.35
                                                                                                            Sep 27, 2024 23:31:13.397778988 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:13.402926922 CEST804974045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:13.697696924 CEST804974045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:13.697755098 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:13.838458061 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:13.838753939 CEST4974280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:13.843848944 CEST804974245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:13.843926907 CEST4974280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:13.845736980 CEST4974280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:13.845977068 CEST804974045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:13.846024036 CEST4974080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:13.850641966 CEST804974245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:14.579243898 CEST804974245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:14.579252958 CEST804974245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:14.579307079 CEST4974280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:14.580380917 CEST497432023192.168.2.4195.154.173.35
                                                                                                            Sep 27, 2024 23:31:14.593987942 CEST202349743195.154.173.35192.168.2.4
                                                                                                            Sep 27, 2024 23:31:14.594094992 CEST497432023192.168.2.4195.154.173.35
                                                                                                            Sep 27, 2024 23:31:14.594161987 CEST497432023192.168.2.4195.154.173.35
                                                                                                            Sep 27, 2024 23:31:14.594213009 CEST497432023192.168.2.4195.154.173.35
                                                                                                            Sep 27, 2024 23:31:14.616977930 CEST202349743195.154.173.35192.168.2.4
                                                                                                            Sep 27, 2024 23:31:14.617449999 CEST202349743195.154.173.35192.168.2.4
                                                                                                            Sep 27, 2024 23:31:14.718564987 CEST4974280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:14.719310999 CEST4974480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:14.724767923 CEST804974445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:14.724895954 CEST4974480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:14.725250959 CEST4974480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:14.731170893 CEST804974445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:14.760924101 CEST804974245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:14.761125088 CEST4974280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:15.057518005 CEST202349743195.154.173.35192.168.2.4
                                                                                                            Sep 27, 2024 23:31:15.057765961 CEST497432023192.168.2.4195.154.173.35
                                                                                                            Sep 27, 2024 23:31:15.504517078 CEST804974445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:15.504584074 CEST4974480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:15.616485119 CEST4974480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:15.636544943 CEST804974445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:15.884943008 CEST804974445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:15.885024071 CEST4974480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.007261992 CEST4974480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.007466078 CEST4974580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.012408972 CEST804974445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:16.012492895 CEST4974480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.012705088 CEST804974545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:16.012779951 CEST4974580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.012973070 CEST4974580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.017920971 CEST804974545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:16.763235092 CEST804974545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:16.763416052 CEST4974580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.897932053 CEST4974580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.898258924 CEST4974680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.902987003 CEST804974545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:16.903059006 CEST4974580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.903378963 CEST804974645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:16.903446913 CEST4974680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.903608084 CEST4974680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:16.908627033 CEST804974645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:17.670480967 CEST804974645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:17.670685053 CEST4974680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:17.790141106 CEST4974680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:17.790517092 CEST4974780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:17.804996014 CEST804974745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:17.805128098 CEST4974780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:17.805356026 CEST4974780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:17.806641102 CEST804974645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:17.806694984 CEST4974680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:17.810583115 CEST804974745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:18.566340923 CEST804974745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:18.570555925 CEST4974780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:18.694696903 CEST4974780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:18.694993973 CEST4974880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:18.739861012 CEST804974845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:18.741446018 CEST4974880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:18.741559982 CEST4974880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:18.743478060 CEST804974745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:18.744561911 CEST4974780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:18.763487101 CEST804974845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:19.491429090 CEST804974845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:19.491503000 CEST4974880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:19.600804090 CEST4974880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:19.636728048 CEST804974845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:19.889611006 CEST804974845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:19.889750957 CEST4974880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.006856918 CEST4974880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.007138968 CEST4974980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.012033939 CEST804974845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:20.012370110 CEST804974945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:20.012444019 CEST4974880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.012475014 CEST4974980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.012634039 CEST4974980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.017955065 CEST804974945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:20.728543043 CEST804974945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:20.728634119 CEST4974980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.850733042 CEST4974980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.851013899 CEST4975080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.867149115 CEST804975045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:20.867295980 CEST4975080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.867424965 CEST4975080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.868561983 CEST804974945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:20.868609905 CEST4974980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:20.880362988 CEST804975045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:21.632940054 CEST804975045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:21.633021116 CEST4975080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:21.787367105 CEST4975080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:21.787777901 CEST4975180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:21.792716026 CEST804975045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:21.792788029 CEST4975080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:21.793045998 CEST804975145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:21.793231964 CEST4975180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:21.793391943 CEST4975180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:21.798451900 CEST804975145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:22.545339108 CEST804975145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:22.545452118 CEST4975180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:22.663103104 CEST4975180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:22.663429022 CEST4975280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:22.668462992 CEST804975145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:22.668533087 CEST4975180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:22.668678045 CEST804975245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:22.668775082 CEST4975280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:22.668943882 CEST4975280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:22.674216986 CEST804975245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:23.400635004 CEST804975245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:23.400715113 CEST4975280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:23.522571087 CEST4975280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:23.522828102 CEST4975380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:23.528598070 CEST804975245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:23.528773069 CEST804975345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:23.528783083 CEST4975280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:23.528845072 CEST4975380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:23.529007912 CEST4975380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:23.535537958 CEST804975345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:24.264014006 CEST804975345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:24.264092922 CEST4975380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:24.381897926 CEST4975380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:24.382195950 CEST4975480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:24.387499094 CEST804975445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:24.387589931 CEST4975480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:24.387687922 CEST4975480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:24.387758970 CEST804975345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:24.387809992 CEST4975380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:24.392482042 CEST804975445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:25.164530039 CEST804975445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:25.164602995 CEST4975480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:25.364912033 CEST4975480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:25.365216017 CEST4975580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:25.370954990 CEST804975445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:25.371031046 CEST4975480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:25.371239901 CEST804975545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:25.371309042 CEST4975580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:25.371404886 CEST4975580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:25.377422094 CEST804975545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:26.091356039 CEST804975545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:26.091434002 CEST4975580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:26.209985971 CEST4975580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:26.210282087 CEST4975680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:26.215210915 CEST804975545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:26.215223074 CEST804975645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:26.215270042 CEST4975580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:26.215301037 CEST4975680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:26.215436935 CEST4975680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:26.220237970 CEST804975645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:26.941695929 CEST804975645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:26.941817045 CEST4975680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.069562912 CEST4975680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.069904089 CEST4975780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.076116085 CEST804975745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:27.076184988 CEST4975780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.076319933 CEST4975780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.077445030 CEST804975645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:27.077488899 CEST4975680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.081253052 CEST804975745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:27.781090021 CEST804975745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:27.781323910 CEST4975780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.897959948 CEST4975780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.898253918 CEST4975880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.903109074 CEST804975845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:27.903208017 CEST4975880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.903376102 CEST4975880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.903697968 CEST804975745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:27.903767109 CEST4975780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:27.908159971 CEST804975845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:28.631567955 CEST804975845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:28.631658077 CEST4975880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:28.757370949 CEST4975880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:28.757652998 CEST4975980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:28.762389898 CEST804975845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:28.762455940 CEST4975880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:28.762517929 CEST804975945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:28.762583017 CEST4975980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:28.762728930 CEST4975980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:28.767496109 CEST804975945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:29.478250980 CEST804975945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:29.478363037 CEST4975980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:29.592431068 CEST4975980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:29.597378969 CEST804975945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:29.853432894 CEST804975945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:29.853516102 CEST4975980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:29.977757931 CEST4975980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:29.978141069 CEST4976080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:30.284755945 CEST4975980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:30.894112110 CEST4975980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:30.925872087 CEST804976045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:30.925961971 CEST4976080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:30.926017046 CEST804975945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:30.926142931 CEST804975945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:30.926161051 CEST4976080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:30.926367998 CEST804975945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:30.926424026 CEST4975980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:30.930922985 CEST804976045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:31.623944044 CEST804976045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:31.624022007 CEST4976080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:31.793232918 CEST4976080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:31.793566942 CEST4976180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:31.798398018 CEST804976045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:31.798461914 CEST804976145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:31.798466921 CEST4976080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:31.798537016 CEST4976180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:31.798731089 CEST4976180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:31.803540945 CEST804976145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:32.506511927 CEST804976145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:32.506701946 CEST4976180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:32.621460915 CEST4976180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:32.626535892 CEST804976145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:32.883306026 CEST804976145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:32.883430958 CEST4976180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.007838011 CEST4976180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.008239031 CEST4976280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.013062000 CEST804976145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:33.013138056 CEST4976180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.013484955 CEST804976245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:33.013575077 CEST4976280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.013679981 CEST4976280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.018681049 CEST804976245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:33.727355003 CEST804976245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:33.727463007 CEST4976280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.856110096 CEST4976280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.856832027 CEST4976380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.861192942 CEST804976245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:33.861268044 CEST4976280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.861722946 CEST804976345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:33.861824989 CEST4976380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.862035036 CEST4976380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:33.866888046 CEST804976345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:34.597707987 CEST804976345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:34.597846031 CEST4976380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:34.795098066 CEST4976380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:34.795419931 CEST4976480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:34.801455021 CEST804976445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:34.801558971 CEST4976480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:34.801655054 CEST4976480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:34.801662922 CEST804976345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:34.801744938 CEST4976380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:34.807010889 CEST804976445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:35.519665956 CEST804976445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:35.519771099 CEST4976480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:35.634002924 CEST4976480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:35.634421110 CEST4976580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:35.639120102 CEST804976445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:35.639230013 CEST4976480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:35.639729023 CEST804976545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:35.639796019 CEST4976580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:35.639951944 CEST4976580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:35.644931078 CEST804976545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:36.341764927 CEST804976545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:36.341996908 CEST4976580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:36.468081951 CEST4976580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:36.468815088 CEST4976680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:36.473329067 CEST804976545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:36.473396063 CEST4976580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:36.473615885 CEST804976645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:36.473699093 CEST4976680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:36.473896980 CEST4976680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:36.478940964 CEST804976645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:37.179297924 CEST804976645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:37.179408073 CEST4976680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:37.342768908 CEST4976680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:37.347408056 CEST4976780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:37.348001957 CEST804976645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:37.348090887 CEST4976680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:37.352231979 CEST804976745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:37.352339029 CEST4976780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:37.352685928 CEST4976780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:37.357635021 CEST804976745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:38.054491997 CEST804976745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:38.054744959 CEST4976780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:38.163311958 CEST4976780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:38.168178082 CEST804976745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:38.418113947 CEST804976745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:38.418273926 CEST4976780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:38.539833069 CEST4976780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:38.540255070 CEST4976880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:38.544899940 CEST804976745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:38.545053959 CEST4976780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:38.545285940 CEST804976845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:38.545383930 CEST4976880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:38.545594931 CEST4976880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:38.550461054 CEST804976845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:39.255572081 CEST804976845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:39.255677938 CEST4976880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:39.371234894 CEST4976880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:39.376106977 CEST804976845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:39.619251013 CEST804976845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:39.619365931 CEST4976880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:39.742113113 CEST4976880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:39.742561102 CEST4976980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:39.747502089 CEST804976845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:39.747597933 CEST4976880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:39.747689009 CEST804976945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:39.747764111 CEST4976980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:39.747899055 CEST4976980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:39.753011942 CEST804976945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:40.445254087 CEST804976945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:40.445355892 CEST4976980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:40.662523985 CEST4976980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:40.662812948 CEST4977080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:40.667912960 CEST804977045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:40.667943954 CEST804976945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:40.667975903 CEST4977080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:40.667999983 CEST4976980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:40.669487000 CEST4977080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:40.674314022 CEST804977045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:41.369467974 CEST804977045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:41.369534016 CEST4977080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:41.491219997 CEST4977080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:41.491552114 CEST4977180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:41.496331930 CEST804977045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:41.496393919 CEST4977080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:41.496640921 CEST804977145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:41.496722937 CEST4977180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:41.496869087 CEST4977180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:41.501981020 CEST804977145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:42.212929964 CEST804977145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:42.213051081 CEST4977180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:42.335558891 CEST4977180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:42.335855007 CEST4977280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:42.340846062 CEST804977145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:42.340859890 CEST804977245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:42.340908051 CEST4977180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:42.340935946 CEST4977280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:42.341106892 CEST4977280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:42.345843077 CEST804977245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:43.033169031 CEST804977245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:43.033266068 CEST4977280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:43.205334902 CEST4977280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:43.209271908 CEST4977380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:43.210618019 CEST804977245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:43.210685015 CEST4977280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:43.214042902 CEST804977345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:43.214112043 CEST4977380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:43.226192951 CEST4977380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:43.231085062 CEST804977345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:43.920540094 CEST804977345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:43.920620918 CEST4977380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.038227081 CEST4977380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.038541079 CEST4977480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.044235945 CEST804977345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:44.044317007 CEST4977380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.044373989 CEST804977445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:44.044435024 CEST4977480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.044529915 CEST4977480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.050482988 CEST804977445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:44.749358892 CEST804977445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:44.749560118 CEST4977480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.866350889 CEST4977480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.866677046 CEST4977580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.871800900 CEST804977545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:44.871908903 CEST4977580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.872136116 CEST4977580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.874015093 CEST804977445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:44.874077082 CEST4977480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:44.877063990 CEST804977545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:45.578264952 CEST804977545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:45.578372955 CEST4977580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:45.695849895 CEST4977580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:45.696086884 CEST4977680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:45.701008081 CEST804977545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:45.701070070 CEST804977645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:45.701076984 CEST4977580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:45.701179981 CEST4977680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:45.701335907 CEST4977680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:45.706250906 CEST804977645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:46.400785923 CEST804977645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:46.400881052 CEST4977680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:46.522711039 CEST4977680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:46.522903919 CEST4977780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:46.527946949 CEST804977645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:46.527975082 CEST804977745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:46.528028965 CEST4977680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:46.528084040 CEST4977780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:46.528207064 CEST4977780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:46.532988071 CEST804977745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:47.250514984 CEST804977745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:47.250685930 CEST4977780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:47.366347075 CEST4977780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:47.366749048 CEST4977880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:47.371706963 CEST804977745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:47.371958017 CEST804977845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:47.372036934 CEST4977780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:47.372137070 CEST4977880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:47.372265100 CEST4977880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:47.377182961 CEST804977845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:48.084738016 CEST804977845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:48.084804058 CEST4977880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:48.194792032 CEST4977880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:48.195123911 CEST4977980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:48.200012922 CEST804977845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:48.200037956 CEST804977945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:48.200083017 CEST4977880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:48.200143099 CEST4977980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:48.200314045 CEST4977980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:48.205234051 CEST804977945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:48.916795015 CEST804977945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:48.916872025 CEST4977980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:49.194865942 CEST4977980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:49.195247889 CEST4978080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:49.200366020 CEST804977945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:49.200373888 CEST804978045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:49.200434923 CEST4977980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:49.200484037 CEST4978080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:49.200798988 CEST4978080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:49.206358910 CEST804978045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:49.931500912 CEST804978045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:49.931623936 CEST4978080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.053611040 CEST4978080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.053999901 CEST4978180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.059875011 CEST804978045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:50.059968948 CEST4978080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.060266972 CEST804978145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:50.060338974 CEST4978180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.060486078 CEST4978180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.065454960 CEST804978145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:50.762917995 CEST804978145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:50.762993097 CEST4978180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.890130997 CEST4978180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.890526056 CEST4978280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.895190001 CEST804978145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:50.895250082 CEST4978180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.895287037 CEST804978245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:50.895349026 CEST4978280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.895452976 CEST4978280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:50.900311947 CEST804978245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:51.599097967 CEST804978245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:51.599293947 CEST4978280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:51.823668003 CEST4978280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:51.823966026 CEST4978380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:51.828777075 CEST804978245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:51.828838110 CEST4978280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:51.829092979 CEST804978345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:51.829175949 CEST4978380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:51.831259012 CEST4978380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:51.836122036 CEST804978345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:52.536751032 CEST804978345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:52.536822081 CEST4978380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:52.647969961 CEST4978380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:52.648382902 CEST4978480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:52.653117895 CEST804978345.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:52.653225899 CEST804978445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:52.653225899 CEST4978380192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:52.653304100 CEST4978480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:52.653439999 CEST4978480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:52.658210039 CEST804978445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:53.371033907 CEST804978445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:53.371113062 CEST4978480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:53.493422985 CEST4978480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:53.493710041 CEST4978580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:53.498819113 CEST804978545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:53.498832941 CEST804978445.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:53.498907089 CEST4978480192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:53.498919964 CEST4978580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:53.499073982 CEST4978580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:53.504427910 CEST804978545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:54.261552095 CEST804978545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:54.261606932 CEST4978580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:54.416112900 CEST4978580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:54.416434050 CEST4978680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:54.432658911 CEST804978545.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:54.432662010 CEST804978645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:54.432743073 CEST4978580192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:54.432775974 CEST4978680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:54.434941053 CEST4978680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:54.440368891 CEST804978645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:55.211530924 CEST804978645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:55.212742090 CEST4978680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:55.337934017 CEST4978680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:55.338258028 CEST4978780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:55.345918894 CEST804978745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:55.345992088 CEST4978780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:55.346120119 CEST4978780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:55.347189903 CEST804978645.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:55.347248077 CEST4978680192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:55.351200104 CEST804978745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:56.086482048 CEST804978745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:56.086627007 CEST4978780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:56.211658001 CEST4978780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:56.212040901 CEST4978880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:56.217199087 CEST804978845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:56.217439890 CEST4978880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:56.217586994 CEST4978880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:56.217667103 CEST804978745.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:56.217891932 CEST4978780192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:56.222558022 CEST804978845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:56.994458914 CEST804978845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:56.994568110 CEST4978880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.119112968 CEST4978880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.119545937 CEST4978980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.124316931 CEST804978845.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:57.124371052 CEST4978880192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.124661922 CEST804978945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:57.124733925 CEST4978980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.124916077 CEST4978980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.129926920 CEST804978945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:57.827439070 CEST804978945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:57.827498913 CEST4978980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.952234983 CEST4978980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.952850103 CEST4979080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.957530022 CEST804978945.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:57.957592964 CEST4978980192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.958019972 CEST804979045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:57.958120108 CEST4979080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.980616093 CEST4979080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:57.985591888 CEST804979045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:58.659138918 CEST804979045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:58.662698030 CEST4979080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:58.789618969 CEST4979080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:58.790266991 CEST4979180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:58.794775963 CEST804979045.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:58.794898987 CEST4979080192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:58.795056105 CEST804979145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:58.795252085 CEST4979180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:58.795252085 CEST4979180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:58.800209999 CEST804979145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:59.563734055 CEST804979145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:59.563816071 CEST4979180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:59.681088924 CEST4979180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:59.681400061 CEST4979280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:59.689337015 CEST804979245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:59.689434052 CEST4979280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:59.689603090 CEST4979280192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:59.690277100 CEST804979145.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:31:59.690330982 CEST4979180192.168.2.445.155.250.128
                                                                                                            Sep 27, 2024 23:31:59.694811106 CEST804979245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:32:00.439975977 CEST804979245.155.250.128192.168.2.4
                                                                                                            Sep 27, 2024 23:32:00.440828085 CEST4979280192.168.2.445.155.250.128

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Sep 27, 2024 23:30:49.651810884 CEST5503853192.168.2.4152.89.198.214
                                                                                                            Sep 27, 2024 23:30:49.720448017 CEST5355038152.89.198.214192.168.2.4
                                                                                                            Sep 27, 2024 23:31:09.898042917 CEST5714853192.168.2.4152.89.198.214
                                                                                                            Sep 27, 2024 23:31:09.965086937 CEST5357148152.89.198.214192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Sep 27, 2024 23:30:49.651810884 CEST192.168.2.4152.89.198.2140x2004Standard query (0)bngrkdw.comA (IP address)IN (0x0001)false
                                                                                                            Sep 27, 2024 23:31:09.898042917 CEST192.168.2.4152.89.198.2140xc048Standard query (0)heketoh.netA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Sep 27, 2024 23:30:49.720448017 CEST152.89.198.214192.168.2.40x2004No error (0)bngrkdw.com185.196.8.214A (IP address)IN (0x0001)false
                                                                                                            Sep 27, 2024 23:31:09.965086937 CEST152.89.198.214192.168.2.40xc048No error (0)heketoh.net45.155.250.128A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • bngrkdw.com
                                                                                                            • heketoh.net

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.449736185.196.8.21480772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:30:49.774033070 CEST318OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1
                                                                                                            Host: bngrkdw.com
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.449738185.196.8.21480772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:30:56.537889004 CEST318OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1
                                                                                                            Host: bngrkdw.com
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.449739185.196.8.21480772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:03.200592041 CEST318OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1
                                                                                                            Host: bngrkdw.com
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.44974045.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:09.973238945 CEST318OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c7ed939f3c HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:10.685745955 CEST1236INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:10 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 34 65 61 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 35 38 31 64 66 34 36 66 66 38 62 63 38 66 35 31 65 31 38 65 38 62 64 35 37 65 66 31 35 38 35 62 63 63 66 62 35 66 62 63 34 30 61 64 39 30 38 38 62 65 38 64 65 32 32 36 36 65 32 30 38 61 36 62 62 39 64 35 39 32 64 65 62 37 36 35 62 62 33 37 34 66 30 36 37 62 37 33 32 35 36 63 30 65 30 64 35 30 65 63 61 34 32 63 64 37 64 62 30 31 62 66 39 33 36 39 34 32 34 65 35 30 65 61 34 36 37 63 31 34 64 62 61 65 33 34 62 65 37 35 62 37 66 34 33 65 63 32 66 36 35 39 34 33 39 37 39 38 39 66 39 30 66 63 31 65 64 39 63 38 34 33 32 63 64 36 35 39 37 31 36 64 38 35 30 38 34 32 62 62 37 35 66 61 64 65 62 35 66 32 32 66 33 37 39 64 37 66 65 36 37 62 64 38 61 65 35 64 30 34 61 65 36 33 65 63 32 31 34 33 35 35 35 34 34 32 31 65 32 32 35 36 63 30 66 36 35 61 37 65 65 38 63 66 36 38 63 32 65 35 31 65 36 35 63 37 30 32 37 66 62 33 34 35 66 66 36 65 32 65 35 38 64 66 65 32 30 37 61 61 34 65 39 34 64 39 33 38 34 66 62 37 61 32 63 31 [TRUNCATED]
                                                                                                            Data Ascii: 4ea67b68a8a3203a77b0418f55f677581df46ff8bc8f51e18e8bd57ef1585bccfb5fbc40ad9088be8de2266e208a6bb9d592deb765bb374f067b73256c0e0d50eca42cd7db01bf9369424e50ea467c14dbae34be75b7f43ec2f6594397989f90fc1ed9c8432cd659716d850842bb75fadeb5f22f379d7fe67bd8ae5d04ae63ec21435554421e2256c0f65a7ee8cf68c2e51e65c7027fb345ff6e2e58dfe207aa4e94d9384fb7a2c15b876ed99d5b660cf6d03223064ac57c5dba8272cbbd70fbe03a7a333b1cfca30742a05d736f51ae6cfbc0347cc3a13ce50dbf363962cb79240a3ebd7b6c13c24a07abcef009ea0bc7853a299f222b3ff848701ec11e150814c6ccfbec2fcc64b64a087ec3aaa6a88073fa120d438dd9401cf5bab340d0253c9d4705d3b516f84fc8e2a27644a0ec8c4af1614e3d4bbe1d7377f7be7348dc01b09409fb4c5054c5ad67c7350364ee3d1d9cdf5ce4d9d3a724ffa752a8020bccb937f8a5fc18522020a6194e99fef1111a7278ed2167303dd3ccdfd9316773578833407e442447d668c48dab8a3ec35a4d9dc12529329c85c578dbadd60d25130b661e73327bb6d9e5d14d1ada2a46aa7c0079346d3c0c94eae0eb441ebacb36091af2eaa2f3e0d33c59d791febbfca4e71f62d3a201518df2ea14fa7019041dfbec9954ae7408d85bac52b0ed2262ea09e5fc45919004bd [TRUNCATED]
                                                                                                            Sep 27, 2024 23:31:10.685933113 CEST224INData Raw: 62 66 36 62 35 31 65 63 65 65 63 36 64 62 32 65 30 65 38 66 32 31 63 32 30 37 30 64 35 30 39 63 66 64 33 31 64 61 36 34 34 66 66 34 65 32 33 36 63 62 33 64 62 34 37 61 65 38 61 31 30 30 31 33 39 66 39 63 66 33 31 64 61 63 31 39 65 64 39 63 36 62
                                                                                                            Data Ascii: bf6b51eceec6db2e0e8f21c2070d509cfd31da644ff4e236cb3db47ae8a100139f9cf31dac19ed9c6b1668dc3372a350339a27529fbbefca9aa3419d2bdc99f48fafabc4f390aab1601b3e27358eacc1f60f3b88181a19dc0f99117ef98d3fb0b92224c47c771f8e221fef332a5baf5
                                                                                                            Sep 27, 2024 23:31:10.685944080 CEST1INData Raw: 0a
                                                                                                            Data Ascii:
                                                                                                            Sep 27, 2024 23:31:10.773195028 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0
                                                                                                            Sep 27, 2024 23:31:13.397778988 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:13.697696924 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:13 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.44974245.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:13.845736980 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:14.579243898 CEST1236INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:14 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 34 35 61 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 63 38 66 63 66 66 35 31 65 31 39 65 62 62 64 35 35 65 39 30 33 63 61 66 66 38 64 65 37 39 35 38 37 34 64 38 30 34 37 64 35 65 30 63 30 33 36 33 36 62 39 34 65 66 66 64 30 64 61 31 38 32 30 65 63 37 64 35 39 61 64 37 35 66 36 36 63 61 62 33 32 35 37 64 65 66 39 64 35 31 36 63 31 34 31 63 34 36 33 62 39 31 30 66 35 33 32 38 61 32 36 65 34 31 62 61 37 36 37 63 33 34 64 62 39 65 33 34 64 66 33 35 38 37 61 34 30 66 32 32 30 36 32 39 66 33 65 36 37 38 65 66 66 31 61 63 32 65 66 39 64 38 34 33 61 63 63 36 66 38 38 31 31 64 62 34 65 38 64 32 62 62 65 35 33 62 30 65 39 35 66 32 31 65 36 37 64 64 37 65 33 37 62 62 38 39 31 65 64 64 34 34 65 66 38 33 66 63 39 31 32 33 66 35 63 35 61 32 30 65 33 32 65 37 34 30 64 37 38 62 62 65 64 39 33 66 61 38 33 33 33 35 37 65 30 35 36 37 61 32 31 66 65 32 61 35 36 66 31 66 39 66 39 38 65 66 62 32 30 37 61 61 32 65 65 35 39 39 33 38 35 66 32 37 30 32 36 31 [TRUNCATED]
                                                                                                            Data Ascii: 45a67b69c953804b26b565fe95b321bd19a55fc8fcff51e19ebbd55e903caff8de795874d8047d5e0c03636b94effd0da1820ec7d59ad75f66cab3257def9d516c141c463b910f5328a26e41ba767c34db9e34df3587a40f220629f3e678eff1ac2ef9d843acc6f8811db4e8d2bbe53b0e95f21e67dd7e37bb891edd44ef83fc9123f5c5a20e32e740d78bbed93fa833357e0567a21fe2a56f1f9f98efb207aa2ee599385f2702613bd68e49ccdac6cd975072c397aa957c4d8ad392eb1c80ebc1eb8ab35a6c4cc376a280fd13aee13eedab70551d43c0dc554daed62982ebd975ea2e2dbabc12522bd79a3ef0a9ebebd7b52aa85f421adf5848219f311eb44824f6fd1b4c1fed24b67a199e53eaa6a8e0929ad25ca3ade970ac85db5310f1453d4d56e5e25536385e28c2b2a6a4a10cfc2ba1116f9c8b9efc3357b72f93d8dc8010b409da1c50a4e5ad57d7c44324beacfd3c4f4c0579c3c6c45ff75369c29b6c68d7e8f5dde8e231d01659df79ee11908ae3188d80c7703c336ccfc9b0d76357a9c3c07f35d4e77798f45c4b1a5ed31a3d1c9115a8833ca475593b1d57bd3523ebd69e22d26b865845603cea7a6b06ea4c312914cdcdfcb4bad1bbf41ebafb06785af28ab31340832cd86781ce9aac2496ce92b3034161cd930ab40ad159741ddabcb9255fb408d9eb1c52c10d12c2da2805ec15a0f0a51d [TRUNCATED]
                                                                                                            Sep 27, 2024 23:31:14.579252958 CEST86INData Raw: 61 66 39 61 38 31 65 64 35 65 39 37 32 62 35 66 66 65 33 66 31 31 62 33 65 37 32 64 63 30 37 63 64 63 65 31 35 61 36 35 61 66 35 34 61 32 62 37 37 61 63 64 61 34 30 61 35 39 32 31 36 30 32 32 37 66 62 63 36 33 33 63 34 63 33 39 66 65 64 0d 0a 30
                                                                                                            Data Ascii: af9a81ed5e972b5ffe3f11b3e72dc07cdce15a65af54a2b77acda40a592160227fbc633c4c39fed0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.44974445.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:14.725250959 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:15.504517078 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:15 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Sep 27, 2024 23:31:15.616485119 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:15.884943008 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:15 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.44974545.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:16.012973070 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:16.763235092 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:16 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            7192.168.2.44974645.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:16.903608084 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:17.670480967 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:17 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            8192.168.2.44974745.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:17.805356026 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:18.566340923 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:18 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            9192.168.2.44974845.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:18.741559982 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:19.491429090 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:19 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Sep 27, 2024 23:31:19.600804090 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:19.889611006 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:19 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            10192.168.2.44974945.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:20.012634039 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:20.728543043 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:20 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            11192.168.2.44975045.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:20.867424965 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:21.632940054 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:21 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            12192.168.2.44975145.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:21.793391943 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:22.545339108 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:22 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            13192.168.2.44975245.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:22.668943882 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:23.400635004 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:23 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            14192.168.2.44975345.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:23.529007912 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:24.264014006 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:24 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            15192.168.2.44975445.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:24.387687922 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:25.164530039 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:25 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            16192.168.2.44975545.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:25.371404886 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:26.091356039 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:25 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            17192.168.2.44975645.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:26.215436935 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:26.941695929 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:26 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            18192.168.2.44975745.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:27.076319933 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:27.781090021 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:27 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            19192.168.2.44975845.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:27.903376102 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:28.631567955 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:28 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            20192.168.2.44975945.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:28.762728930 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:29.478250980 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:29 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Sep 27, 2024 23:31:29.592431068 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:29.853432894 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:29 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            21192.168.2.44976045.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:30.926161051 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:31.623944044 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:31 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            22192.168.2.44976145.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:31.798731089 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:32.506511927 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:32 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Sep 27, 2024 23:31:32.621460915 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:32.883306026 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:32 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            23192.168.2.44976245.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:33.013679981 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:33.727355003 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:33 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            24192.168.2.44976345.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:33.862035036 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:34.597707987 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:34 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            25192.168.2.44976445.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:34.801655054 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:35.519665956 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:35 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            26192.168.2.44976545.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:35.639951944 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:36.341764927 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:36 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            27192.168.2.44976645.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:36.473896980 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:37.179297924 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:37 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            28192.168.2.44976745.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:37.352685928 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:38.054491997 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:37 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Sep 27, 2024 23:31:38.163311958 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:38.418113947 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:38 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            29192.168.2.44976845.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:38.545594931 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:39.255572081 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:39 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20
                                                                                                            Sep 27, 2024 23:31:39.371234894 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:39.619251013 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:39 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            30192.168.2.44976945.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:39.747899055 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:40.445254087 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:40 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            31192.168.2.44977045.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:40.669487000 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:41.369467974 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:41 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            32192.168.2.44977145.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:41.496869087 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:42.212929964 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:42 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            33192.168.2.44977245.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:42.341106892 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:43.033169031 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:42 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            34192.168.2.44977345.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:43.226192951 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:43.920540094 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:43 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            35192.168.2.44977445.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:44.044529915 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:44.749358892 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:44 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            36192.168.2.44977545.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:44.872136116 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:45.578264952 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:45 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            37192.168.2.44977645.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:45.701335907 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:46.400785923 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:46 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            38192.168.2.44977745.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:46.528207064 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:47.250514984 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:47 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            39192.168.2.44977845.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:47.372265100 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:48.084738016 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:47 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            40192.168.2.44977945.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:48.200314045 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:48.916795015 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:48 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            41192.168.2.44978045.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:49.200798988 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:49.931500912 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:49 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            42192.168.2.44978145.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:50.060486078 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:50.762917995 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:50 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            43192.168.2.44978245.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:50.895452976 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:51.599097967 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:51 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            44192.168.2.44978345.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:51.831259012 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:52.536751032 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:52 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            45192.168.2.44978445.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:52.653439999 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:53.371033907 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:53 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            46192.168.2.44978545.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:53.499073982 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:54.261552095 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:54 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            47192.168.2.44978645.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:54.434941053 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:55.211530924 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:55 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            48192.168.2.44978745.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:55.346120119 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:56.086482048 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:55 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            49192.168.2.44978845.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:56.217586994 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:56.994458914 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:56 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            50192.168.2.44978945.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:57.124916077 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:57.827439070 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:57 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            51192.168.2.44979045.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:57.980616093 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:58.659138918 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:58 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            52192.168.2.44979145.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:58.795252085 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:31:59.563734055 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:31:59 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            53192.168.2.44979245.155.250.12880772C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Sep 27, 2024 23:31:59.689603090 CEST326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8908e4a865a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ccf699311 HTTP/1.1
                                                                                                            Host: heketoh.net
                                                                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            Sep 27, 2024 23:32:00.439975977 CEST220INHTTP/1.1 200 OK
                                                                                                            Server: nginx/1.20.1
                                                                                                            Date: Fri, 27 Sep 2024 21:32:00 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: keep-alive
                                                                                                            X-Powered-By: PHP/7.4.33
                                                                                                            Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: e67b680813008c20


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:17:29:54
                                                                                                            Start date:27/09/2024
                                                                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:3'132'268 bytes
                                                                                                            MD5 hash:E3BF1BD1BB1678ECA7BC20F0DE65FB4F
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:17:29:55
                                                                                                            Start date:27/09/2024
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-42905.tmp\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.tmp" /SL5="$10434,2865995,56832,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Munp.1.11072.7602.exe"
                                                                                                            Imagebase:0x400000
                                                                                                            File size:708'608 bytes
                                                                                                            MD5 hash:ED4730120FE89130C401E2280D614D75
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:17:29:56
                                                                                                            Start date:27/09/2024
                                                                                                            Path:C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se32_64.exe" -i
                                                                                                            Imagebase:0x400000
                                                                                                            File size:2'662'400 bytes
                                                                                                            MD5 hash:C26B00F4D8662FF6FAF6841BDAED9586
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.2906105184.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:21.3%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:2.4%
                                                                                                              Total number of Nodes:1520
                                                                                                              Total number of Limit Nodes:22
                                                                                                              execution_graph 5455 407548 5456 407554 CloseHandle 5455->5456 5457 40755d 5455->5457 5456->5457 6692 402b48 RaiseException 5897 407749 5898 4076dc WriteFile 5897->5898 5904 407724 5897->5904 5899 4076e8 5898->5899 5900 4076ef 5898->5900 5902 40748c 35 API calls 5899->5902 5901 407700 5900->5901 5903 4073ec 34 API calls 5900->5903 5902->5900 5903->5901 5904->5897 5905 4077e0 5904->5905 5906 4078db InterlockedExchange 5905->5906 5908 407890 5905->5908 5907 4078e7 5906->5907 6693 40294a 6694 402952 6693->6694 6695 403554 4 API calls 6694->6695 6696 402967 6694->6696 6695->6694 6697 403f4a 6698 403f53 6697->6698 6699 403f5c 6697->6699 6701 403f07 6698->6701 6702 403f09 6701->6702 6706 403e9c 6702->6706 6707 403154 4 API calls 6702->6707 6712 403f3d 6702->6712 6724 403e9c 6702->6724 6704 403f3c 6704->6699 6705 403ef2 6709 402674 4 API calls 6705->6709 6706->6704 6706->6705 6710 403ea9 6706->6710 6715 403e8e 6706->6715 6707->6702 6713 403ecf 6709->6713 6710->6713 6714 402674 4 API calls 6710->6714 6712->6699 6713->6699 6714->6713 6716 403e4c 6715->6716 6717 403e67 6716->6717 6718 403e62 6716->6718 6719 403e7b 6716->6719 6722 403e78 6717->6722 6723 402674 4 API calls 6717->6723 6720 403cc8 4 API calls 6718->6720 6721 402674 4 API calls 6719->6721 6720->6717 6721->6722 6722->6705 6722->6710 6723->6722 6725 403ed7 6724->6725 6731 403ea9 6724->6731 6726 403ef2 6725->6726 6727 403e8e 4 API calls 6725->6727 6728 402674 4 API calls 6726->6728 6729 403ee6 6727->6729 6730 403ecf 6728->6730 6729->6726 6729->6731 6730->6702 6731->6730 6732 402674 4 API calls 6731->6732 6732->6730 6251 40ac4f 6252 40abc1 6251->6252 6253 4094d8 9 API calls 6252->6253 6255 40abed 6252->6255 6253->6255 6254 40ac06 6256 40ac1a 6254->6256 6257 40ac0f DestroyWindow 6254->6257 6255->6254 6258 40ac00 RemoveDirectoryA 6255->6258 6259 40ac42 6256->6259 6260 40357c 4 API calls 6256->6260 6257->6256 6258->6254 6261 40ac38 6260->6261 6262 4025ac 4 API calls 6261->6262 6262->6259 6263 403a52 6264 403a74 6263->6264 6265 403a5a WriteFile 6263->6265 6265->6264 6266 403a78 GetLastError 6265->6266 6266->6264 6267 402654 6268 403154 4 API calls 6267->6268 6269 402614 6268->6269 6270 402632 6269->6270 6271 403154 4 API calls 6269->6271 6270->6270 6271->6270 6272 40ac56 6273 40ac5d 6272->6273 6275 40ac88 6272->6275 6282 409448 6273->6282 6277 403198 4 API calls 6275->6277 6276 40ac62 6276->6275 6279 40ac80 MessageBoxA 6276->6279 6278 40acc0 6277->6278 6280 403198 4 API calls 6278->6280 6279->6275 6281 40acc8 6280->6281 6283 409454 GetCurrentProcess OpenProcessToken 6282->6283 6284 4094af ExitWindowsEx 6282->6284 6285 409466 6283->6285 6286 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6283->6286 6284->6285 6285->6276 6286->6284 6286->6285 6741 40995e 6744 409960 6741->6744 6742 409982 6743 40999e CallWindowProcA 6743->6742 6744->6742 6744->6743 6745 409960 6746 409982 6745->6746 6747 40996f 6745->6747 6747->6746 6748 40999e CallWindowProcA 6747->6748 6748->6746 6749 405160 6750 405173 6749->6750 6751 404e58 33 API calls 6750->6751 6752 405187 6751->6752 6287 402e64 6288 402e69 6287->6288 6289 402e7a RtlUnwind 6288->6289 6290 402e5e 6288->6290 6291 402e9d 6289->6291 5909 40766c SetFilePointer 5910 4076a3 5909->5910 5911 407693 GetLastError 5909->5911 5911->5910 5912 40769c 5911->5912 5913 40748c 35 API calls 5912->5913 5913->5910 6304 40667c IsDBCSLeadByte 6305 406694 6304->6305 6765 403f7d 6766 403fa2 6765->6766 6767 403f84 6765->6767 6766->6767 6769 403e8e 4 API calls 6766->6769 6768 403f8c 6767->6768 6770 402674 4 API calls 6767->6770 6769->6767 6771 403fca 6770->6771 6772 403d02 6774 403d12 6772->6774 6773 403ddf ExitProcess 6774->6773 6775 403db8 6774->6775 6779 403dea 6774->6779 6782 403da4 6774->6782 6783 403d8f MessageBoxA 6774->6783 6776 403cc8 4 API calls 6775->6776 6777 403dc2 6776->6777 6778 403cc8 4 API calls 6777->6778 6780 403dcc 6778->6780 6792 4019dc 6780->6792 6788 403fe4 6782->6788 6783->6775 6784 403dd1 6784->6773 6784->6779 6789 403fe8 6788->6789 6790 403f07 4 API calls 6789->6790 6791 404006 6790->6791 6793 401abb 6792->6793 6794 4019ed 6792->6794 6793->6784 6795 401a04 RtlEnterCriticalSection 6794->6795 6796 401a0e LocalFree 6794->6796 6795->6796 6797 401a41 6796->6797 6798 401a2f VirtualFree 6797->6798 6799 401a49 6797->6799 6798->6797 6800 401a70 LocalFree 6799->6800 6801 401a87 6799->6801 6800->6800 6800->6801 6802 401aa9 RtlDeleteCriticalSection 6801->6802 6803 401a9f RtlLeaveCriticalSection 6801->6803 6802->6784 6803->6802 6310 404206 6311 40420a 6310->6311 6312 4041cc 6310->6312 6313 404282 6311->6313 6314 403154 4 API calls 6311->6314 6315 404323 6314->6315 6316 402c08 6317 402c82 6316->6317 6320 402c19 6316->6320 6318 402c56 RtlUnwind 6319 403154 4 API calls 6318->6319 6319->6317 6320->6317 6320->6318 6323 402b28 6320->6323 6324 402b31 RaiseException 6323->6324 6325 402b47 6323->6325 6324->6325 6325->6318 6326 408c10 6327 408c17 6326->6327 6328 403198 4 API calls 6327->6328 6336 408cb1 6328->6336 6329 408cdc 6330 4031b8 4 API calls 6329->6330 6331 408d69 6330->6331 6332 408cc8 6334 4032fc 18 API calls 6332->6334 6333 403278 18 API calls 6333->6336 6334->6329 6335 4032fc 18 API calls 6335->6336 6336->6329 6336->6332 6336->6333 6336->6335 6341 40a814 6342 40a839 6341->6342 6343 40993c 29 API calls 6342->6343 6346 40a83e 6343->6346 6344 40a891 6375 4026c4 GetSystemTime 6344->6375 6346->6344 6349 408dd8 18 API calls 6346->6349 6347 40a896 6348 409330 46 API calls 6347->6348 6350 40a89e 6348->6350 6351 40a86d 6349->6351 6352 4031e8 18 API calls 6350->6352 6355 40a875 MessageBoxA 6351->6355 6353 40a8ab 6352->6353 6354 406928 19 API calls 6353->6354 6356 40a8b8 6354->6356 6355->6344 6357 40a882 6355->6357 6358 4066c0 19 API calls 6356->6358 6359 405864 19 API calls 6357->6359 6360 40a8c8 6358->6360 6359->6344 6361 406638 19 API calls 6360->6361 6362 40a8d9 6361->6362 6363 403340 18 API calls 6362->6363 6364 40a8e7 6363->6364 6365 4031e8 18 API calls 6364->6365 6366 40a8f7 6365->6366 6367 4074e0 37 API calls 6366->6367 6368 40a936 6367->6368 6369 402594 18 API calls 6368->6369 6370 40a956 6369->6370 6371 407a28 19 API calls 6370->6371 6372 40a998 6371->6372 6373 407cb8 35 API calls 6372->6373 6374 40a9bf 6373->6374 6375->6347 5453 407017 5454 407008 SetErrorMode 5453->5454 6376 403018 6377 403070 6376->6377 6378 403025 6376->6378 6379 40302a RtlUnwind 6378->6379 6380 40304e 6379->6380 6382 402f78 6380->6382 6383 402be8 6380->6383 6384 402bf1 RaiseException 6383->6384 6385 402c04 6383->6385 6384->6385 6385->6377 6390 40901e 6391 409010 6390->6391 6392 408fac Wow64RevertWow64FsRedirection 6391->6392 6393 409018 6392->6393 6394 409020 SetLastError 6395 409029 6394->6395 6410 403a28 ReadFile 6411 403a46 6410->6411 6412 403a49 GetLastError 6410->6412 5914 40762c ReadFile 5915 407663 5914->5915 5916 40764c 5914->5916 5917 407652 GetLastError 5916->5917 5918 40765c 5916->5918 5917->5915 5917->5918 5919 40748c 35 API calls 5918->5919 5919->5915 6814 40712e 6815 407118 6814->6815 6816 403198 4 API calls 6815->6816 6817 407120 6816->6817 6818 403198 4 API calls 6817->6818 6819 407128 6818->6819 5934 40a82f 5935 409ae8 18 API calls 5934->5935 5936 40a834 5935->5936 5937 40a839 5936->5937 5938 402f24 5 API calls 5936->5938 5971 40993c 5937->5971 5938->5937 5940 40a891 5976 4026c4 GetSystemTime 5940->5976 5942 40a83e 5942->5940 6037 408dd8 5942->6037 5943 40a896 5977 409330 5943->5977 5947 40a86d 5951 40a875 MessageBoxA 5947->5951 5948 4031e8 18 API calls 5949 40a8ab 5948->5949 5995 406928 5949->5995 5951->5940 5953 40a882 5951->5953 6040 405864 5953->6040 5958 40a8d9 6022 403340 5958->6022 5960 40a8e7 5961 4031e8 18 API calls 5960->5961 5962 40a8f7 5961->5962 5963 4074e0 37 API calls 5962->5963 5964 40a936 5963->5964 5965 402594 18 API calls 5964->5965 5966 40a956 5965->5966 5967 407a28 19 API calls 5966->5967 5968 40a998 5967->5968 5969 407cb8 35 API calls 5968->5969 5970 40a9bf 5969->5970 6044 40953c 5971->6044 5974 4098cc 19 API calls 5975 40995c 5974->5975 5975->5942 5976->5943 5980 409350 5977->5980 5981 409375 CreateDirectoryA 5980->5981 5986 408dd8 18 API calls 5980->5986 5987 404c94 33 API calls 5980->5987 5990 407284 19 API calls 5980->5990 5993 408da8 18 API calls 5980->5993 5994 405890 18 API calls 5980->5994 6100 406cf4 5980->6100 6123 409224 5980->6123 5982 4093ed 5981->5982 5983 40937f GetLastError 5981->5983 5984 40322c 4 API calls 5982->5984 5983->5980 5985 4093f7 5984->5985 5988 4031b8 4 API calls 5985->5988 5986->5980 5987->5980 5989 409411 5988->5989 5991 4031b8 4 API calls 5989->5991 5990->5980 5992 40941e 5991->5992 5992->5948 5993->5980 5994->5980 6229 406820 5995->6229 5998 403454 18 API calls 5999 40694a 5998->5999 6000 4066c0 5999->6000 6234 4068e4 6000->6234 6003 4066f0 6005 403340 18 API calls 6003->6005 6004 4066fe 6006 403454 18 API calls 6004->6006 6007 4066fc 6005->6007 6008 406711 6006->6008 6010 403198 4 API calls 6007->6010 6009 403340 18 API calls 6008->6009 6009->6007 6011 406733 6010->6011 6012 406638 6011->6012 6013 406642 6012->6013 6014 406665 6012->6014 6240 406950 6013->6240 6015 40322c 4 API calls 6014->6015 6017 40666e 6015->6017 6017->5958 6018 406649 6018->6014 6019 406654 6018->6019 6020 403340 18 API calls 6019->6020 6021 406662 6020->6021 6021->5958 6023 403344 6022->6023 6024 4033a5 6022->6024 6025 4031e8 6023->6025 6026 40334c 6023->6026 6031 403254 18 API calls 6025->6031 6032 4031fc 6025->6032 6026->6024 6028 40335b 6026->6028 6029 4031e8 18 API calls 6026->6029 6027 403228 6027->5960 6030 403254 18 API calls 6028->6030 6029->6028 6034 403375 6030->6034 6031->6032 6032->6027 6033 4025ac 4 API calls 6032->6033 6033->6027 6035 4031e8 18 API calls 6034->6035 6036 4033a1 6035->6036 6036->5960 6038 408da8 18 API calls 6037->6038 6039 408df4 6038->6039 6039->5947 6041 405869 6040->6041 6042 405940 19 API calls 6041->6042 6043 40587b 6042->6043 6043->6043 6051 40955b 6044->6051 6045 409590 6047 40959d GetUserDefaultLangID 6045->6047 6052 409592 6045->6052 6046 409594 6056 407024 GetModuleHandleA GetProcAddress 6046->6056 6047->6052 6050 40956f 6050->5974 6051->6045 6051->6046 6051->6050 6052->6050 6053 4095cb GetACP 6052->6053 6054 4095ef 6052->6054 6053->6050 6053->6052 6054->6050 6055 409615 GetACP 6054->6055 6055->6050 6055->6054 6057 407067 6056->6057 6058 40705e 6056->6058 6059 407070 6057->6059 6060 4070a8 6057->6060 6067 403198 4 API calls 6058->6067 6077 406f68 6059->6077 6061 406f68 RegOpenKeyExA 6060->6061 6065 4070c1 6061->6065 6063 407089 6064 4070de 6063->6064 6080 406f5c 6063->6080 6069 40322c 4 API calls 6064->6069 6065->6064 6068 406f5c 20 API calls 6065->6068 6071 407120 6067->6071 6072 4070d5 RegCloseKey 6068->6072 6073 4070eb 6069->6073 6074 403198 4 API calls 6071->6074 6072->6064 6075 4032fc 18 API calls 6073->6075 6076 407128 6074->6076 6075->6058 6076->6052 6078 406f73 6077->6078 6079 406f79 RegOpenKeyExA 6077->6079 6078->6079 6079->6063 6083 406e10 6080->6083 6084 406e36 RegQueryValueExA 6083->6084 6085 406e7b 6084->6085 6090 406e59 6084->6090 6087 403198 4 API calls 6085->6087 6086 406e73 6088 403198 4 API calls 6086->6088 6089 406f47 RegCloseKey 6087->6089 6088->6085 6089->6064 6090->6085 6090->6086 6091 403278 18 API calls 6090->6091 6092 403420 18 API calls 6090->6092 6091->6090 6093 406eb0 RegQueryValueExA 6092->6093 6093->6084 6094 406ecc 6093->6094 6094->6085 6095 4034f0 18 API calls 6094->6095 6096 406f0e 6095->6096 6097 406f20 6096->6097 6099 403420 18 API calls 6096->6099 6098 4031e8 18 API calls 6097->6098 6098->6085 6099->6097 6142 406a58 6100->6142 6103 406d26 6105 406a58 19 API calls 6103->6105 6107 406d72 6103->6107 6106 406d36 6105->6106 6108 406d42 6106->6108 6111 406a34 21 API calls 6106->6111 6150 406888 6107->6150 6108->6107 6109 406d67 6108->6109 6112 406a58 19 API calls 6108->6112 6109->6107 6162 406cc8 GetWindowsDirectoryA 6109->6162 6111->6108 6115 406d5b 6112->6115 6115->6109 6118 406a34 21 API calls 6115->6118 6116 406638 19 API calls 6117 406d87 6116->6117 6119 40322c 4 API calls 6117->6119 6118->6109 6120 406d91 6119->6120 6121 4031b8 4 API calls 6120->6121 6122 406dab 6121->6122 6122->5980 6124 409244 6123->6124 6125 406638 19 API calls 6124->6125 6126 40925d 6125->6126 6127 40322c 4 API calls 6126->6127 6134 409268 6127->6134 6128 406978 20 API calls 6128->6134 6130 4033b4 18 API calls 6130->6134 6131 408dd8 18 API calls 6131->6134 6133 405890 18 API calls 6133->6134 6134->6128 6134->6130 6134->6131 6134->6133 6135 4092e4 6134->6135 6202 4091b0 6134->6202 6210 409034 6134->6210 6136 40322c 4 API calls 6135->6136 6137 4092ef 6136->6137 6138 4031b8 4 API calls 6137->6138 6139 409309 6138->6139 6140 403198 4 API calls 6139->6140 6141 409311 6140->6141 6141->5980 6143 4034f0 18 API calls 6142->6143 6144 406a6b 6143->6144 6145 406a82 GetEnvironmentVariableA 6144->6145 6149 406a95 6144->6149 6164 406dec 6144->6164 6145->6144 6146 406a8e 6145->6146 6147 403198 4 API calls 6146->6147 6147->6149 6149->6103 6159 406a34 6149->6159 6151 403414 6150->6151 6152 4068ab GetFullPathNameA 6151->6152 6153 4068b7 6152->6153 6154 4068ce 6152->6154 6153->6154 6156 4068bf 6153->6156 6155 40322c 4 API calls 6154->6155 6158 4068cc 6155->6158 6157 403278 18 API calls 6156->6157 6157->6158 6158->6116 6168 4069dc 6159->6168 6163 406ce9 6162->6163 6163->6107 6165 406dfa 6164->6165 6166 4034f0 18 API calls 6165->6166 6167 406e08 6166->6167 6167->6144 6175 406978 6168->6175 6170 4069fe 6171 406a06 GetFileAttributesA 6170->6171 6172 406a1b 6171->6172 6173 403198 4 API calls 6172->6173 6174 406a23 6173->6174 6174->6103 6185 406744 6175->6185 6177 4069b0 6180 4069c6 6177->6180 6181 4069bb 6177->6181 6179 406989 6179->6177 6192 406970 CharPrevA 6179->6192 6193 403454 6180->6193 6183 40322c 4 API calls 6181->6183 6184 4069c4 6183->6184 6184->6170 6187 406755 6185->6187 6186 4067b9 6188 406680 IsDBCSLeadByte 6186->6188 6189 4067b4 6186->6189 6187->6186 6191 406773 6187->6191 6188->6189 6189->6179 6191->6189 6200 406680 IsDBCSLeadByte 6191->6200 6192->6179 6194 403486 6193->6194 6195 403459 6193->6195 6196 403198 4 API calls 6194->6196 6195->6194 6198 40346d 6195->6198 6197 40347c 6196->6197 6197->6184 6199 403278 18 API calls 6198->6199 6199->6197 6201 406694 6200->6201 6201->6191 6203 403198 4 API calls 6202->6203 6204 4091d1 6203->6204 6207 4091fe 6204->6207 6219 4032a8 6204->6219 6222 403494 6204->6222 6208 403198 4 API calls 6207->6208 6209 409213 6208->6209 6209->6134 6211 408f70 2 API calls 6210->6211 6212 40904a 6211->6212 6213 40904e 6212->6213 6226 406a48 6212->6226 6213->6134 6216 409081 6217 408fac Wow64RevertWow64FsRedirection 6216->6217 6218 409089 6217->6218 6218->6134 6220 403278 18 API calls 6219->6220 6221 4032b5 6220->6221 6221->6204 6223 403498 6222->6223 6225 4034c3 6222->6225 6224 4034f0 18 API calls 6223->6224 6224->6225 6225->6204 6227 4069dc 21 API calls 6226->6227 6228 406a52 GetLastError 6227->6228 6228->6216 6230 406744 IsDBCSLeadByte 6229->6230 6232 406835 6230->6232 6231 40687f 6231->5998 6232->6231 6233 406680 IsDBCSLeadByte 6232->6233 6233->6232 6235 4068f3 6234->6235 6236 406820 IsDBCSLeadByte 6235->6236 6239 4068fe 6236->6239 6237 4066ea 6237->6003 6237->6004 6238 406680 IsDBCSLeadByte 6238->6239 6239->6237 6239->6238 6241 406957 6240->6241 6242 40695b 6240->6242 6241->6018 6245 406970 CharPrevA 6242->6245 6244 40696c 6244->6018 6245->6244 6820 408f30 6823 408dfc 6820->6823 6824 408e05 6823->6824 6825 403198 4 API calls 6824->6825 6826 408e13 6824->6826 6825->6824 6827 403932 6828 403924 6827->6828 6829 40374c VariantClear 6828->6829 6830 40392c 6829->6830 5390 4075c4 SetFilePointer 5391 4075f7 5390->5391 5392 4075e7 GetLastError 5390->5392 5392->5391 5393 4075f0 5392->5393 5395 40748c GetLastError 5393->5395 5398 4073ec 5395->5398 5399 407284 19 API calls 5398->5399 5400 407414 5399->5400 5401 407434 5400->5401 5402 405194 33 API calls 5400->5402 5403 405890 18 API calls 5401->5403 5402->5401 5404 407443 5403->5404 5405 403198 4 API calls 5404->5405 5406 407460 5405->5406 5406->5391 6421 4076c8 WriteFile 6422 4076e8 6421->6422 6423 4076ef 6421->6423 6425 40748c 35 API calls 6422->6425 6424 407700 6423->6424 6426 4073ec 34 API calls 6423->6426 6425->6423 6426->6424 6427 402ccc 6430 402cfe 6427->6430 6431 402cdd 6427->6431 6428 402d88 RtlUnwind 6429 403154 4 API calls 6428->6429 6429->6430 6431->6428 6431->6430 6432 402b28 RaiseException 6431->6432 6433 402d7f 6432->6433 6433->6428 6839 403fcd 6840 403f07 4 API calls 6839->6840 6841 403fd6 6840->6841 6842 403e9c 4 API calls 6841->6842 6843 403fe2 6842->6843 6440 4024d0 6441 4024e4 6440->6441 6442 4024e9 6440->6442 6445 401918 4 API calls 6441->6445 6443 402518 6442->6443 6444 40250e RtlEnterCriticalSection 6442->6444 6447 4024ed 6442->6447 6455 402300 6443->6455 6444->6443 6445->6442 6448 402525 6451 402581 6448->6451 6452 402577 RtlLeaveCriticalSection 6448->6452 6450 401fd4 14 API calls 6453 402531 6450->6453 6452->6451 6453->6448 6454 40215c 9 API calls 6453->6454 6454->6448 6456 402314 6455->6456 6459 402335 6456->6459 6460 4023b8 6456->6460 6457 402344 6457->6448 6457->6450 6458 401d80 9 API calls 6458->6460 6459->6457 6461 401b74 9 API calls 6459->6461 6460->6457 6460->6458 6463 402455 6460->6463 6465 401e84 6460->6465 6461->6457 6463->6457 6464 401d00 9 API calls 6463->6464 6464->6457 6470 401768 6465->6470 6467 401e99 6468 401dcc 9 API calls 6467->6468 6469 401ea6 6467->6469 6468->6469 6469->6460 6471 401787 6470->6471 6472 40183b 6471->6472 6473 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6471->6473 6474 40132c LocalAlloc 6471->6474 6476 401821 6471->6476 6479 4017d6 6471->6479 6475 4015c4 VirtualAlloc 6472->6475 6477 4017e7 6472->6477 6473->6471 6474->6471 6475->6477 6478 40150c VirtualFree 6476->6478 6477->6467 6478->6477 6480 40150c VirtualFree 6479->6480 6480->6477 6481 4028d2 6482 4028da 6481->6482 6483 403554 4 API calls 6482->6483 6484 4028ef 6482->6484 6483->6482 6485 4025ac 4 API calls 6484->6485 6486 4028f4 6485->6486 6844 4019d3 6845 4019ba 6844->6845 6846 4019c3 RtlLeaveCriticalSection 6845->6846 6847 4019cd 6845->6847 6846->6847 5407 407fd4 5408 407fe6 5407->5408 5410 407fed 5407->5410 5418 407f10 5408->5418 5411 408021 5410->5411 5412 408015 5410->5412 5413 408017 5410->5413 5414 40804e 5411->5414 5416 407d7c 33 API calls 5411->5416 5432 407e2c 5412->5432 5429 407d7c 5413->5429 5416->5414 5419 407f25 5418->5419 5420 407d7c 33 API calls 5419->5420 5421 407f34 5419->5421 5420->5421 5422 407f6e 5421->5422 5423 407d7c 33 API calls 5421->5423 5424 407f82 5422->5424 5425 407d7c 33 API calls 5422->5425 5423->5422 5428 407fae 5424->5428 5439 407eb8 5424->5439 5425->5424 5428->5410 5442 4058c4 5429->5442 5431 407d9e 5431->5411 5433 405194 33 API calls 5432->5433 5434 407e57 5433->5434 5450 407de4 5434->5450 5436 407e5f 5437 403198 4 API calls 5436->5437 5438 407e74 5437->5438 5438->5411 5440 407ec7 VirtualFree 5439->5440 5441 407ed9 VirtualAlloc 5439->5441 5440->5441 5441->5428 5444 4058d0 5442->5444 5443 405194 33 API calls 5445 4058fd 5443->5445 5444->5443 5446 4031e8 18 API calls 5445->5446 5447 405908 5446->5447 5448 403198 4 API calls 5447->5448 5449 40591d 5448->5449 5449->5431 5451 4058c4 33 API calls 5450->5451 5452 407e06 5451->5452 5452->5436 6487 405ad4 6488 405ae4 6487->6488 6489 405adc 6487->6489 6490 405ae2 6489->6490 6491 405aeb 6489->6491 6494 405a4c 6490->6494 6492 405940 19 API calls 6491->6492 6492->6488 6495 405a54 6494->6495 6496 405a6e 6495->6496 6497 403154 4 API calls 6495->6497 6498 405a73 6496->6498 6499 405a8a 6496->6499 6497->6495 6500 405940 19 API calls 6498->6500 6501 403154 4 API calls 6499->6501 6502 405a86 6500->6502 6503 405a8f 6501->6503 6505 403154 4 API calls 6502->6505 6504 4059b0 33 API calls 6503->6504 6504->6502 6506 405ab8 6505->6506 6507 403154 4 API calls 6506->6507 6508 405ac6 6507->6508 6508->6488 5920 40a9de 5921 40aa03 5920->5921 5922 407918 InterlockedExchange 5921->5922 5923 40aa2d 5922->5923 5924 40aa3d 5923->5924 5925 409ae8 18 API calls 5923->5925 5930 4076ac SetEndOfFile 5924->5930 5925->5924 5927 40aa59 5928 4025ac 4 API calls 5927->5928 5929 40aa90 5928->5929 5931 4076c3 5930->5931 5932 4076bc 5930->5932 5931->5927 5933 40748c 35 API calls 5932->5933 5933->5931 6851 402be9 RaiseException 6852 402c04 6851->6852 6519 402af2 6520 402afe 6519->6520 6523 402ed0 6520->6523 6524 403154 4 API calls 6523->6524 6526 402ee0 6524->6526 6525 402b03 6526->6525 6528 402b0c 6526->6528 6529 402b25 6528->6529 6530 402b15 RaiseException 6528->6530 6529->6525 6530->6529 5458 40a5f8 5501 4030dc 5458->5501 5460 40a60e 5504 4042e8 5460->5504 5462 40a613 5507 40457c GetModuleHandleA GetProcAddress 5462->5507 5466 40a61d 5515 4065c8 5466->5515 5468 40a622 5524 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5468->5524 5475 40a665 5546 406c2c 5475->5546 5479 4031e8 18 API calls 5480 40a683 5479->5480 5560 4074e0 5480->5560 5485 407918 InterlockedExchange 5488 40a6d2 5485->5488 5487 40a710 5580 4074a0 5487->5580 5488->5487 5617 409ae8 5488->5617 5490 40a751 5584 407a28 5490->5584 5491 40a736 5491->5490 5492 409ae8 18 API calls 5491->5492 5492->5490 5494 40a776 5594 408b08 5494->5594 5498 40a7bc 5499 408b08 35 API calls 5498->5499 5500 40a7f5 5498->5500 5499->5498 5627 403094 5501->5627 5503 4030e1 GetModuleHandleA GetCommandLineA 5503->5460 5505 403154 4 API calls 5504->5505 5506 404323 5504->5506 5505->5506 5506->5462 5508 404598 5507->5508 5509 40459f GetProcAddress 5507->5509 5508->5509 5510 4045b5 GetProcAddress 5509->5510 5511 4045ae 5509->5511 5512 4045c4 SetProcessDEPPolicy 5510->5512 5513 4045c8 5510->5513 5511->5510 5512->5513 5514 404624 6F551CD0 5513->5514 5514->5466 5628 405ca8 5515->5628 5525 4090f7 5524->5525 5712 406fa0 SetErrorMode 5525->5712 5528 407284 19 API calls 5529 409127 5528->5529 5530 403198 4 API calls 5529->5530 5531 40913c 5530->5531 5532 409b78 GetSystemInfo VirtualQuery 5531->5532 5533 409c2c 5532->5533 5536 409ba2 5532->5536 5538 409768 5533->5538 5534 409c0d VirtualQuery 5534->5533 5534->5536 5535 409bcc VirtualProtect 5535->5536 5536->5533 5536->5534 5536->5535 5537 409bfb VirtualProtect 5536->5537 5537->5534 5718 406bd0 GetCommandLineA 5538->5718 5540 409850 5541 4031b8 4 API calls 5540->5541 5543 40986a 5541->5543 5542 406c2c 20 API calls 5544 409785 5542->5544 5543->5475 5610 409c88 5543->5610 5544->5540 5544->5542 5545 403454 18 API calls 5544->5545 5545->5544 5547 406c53 GetModuleFileNameA 5546->5547 5548 406c77 GetCommandLineA 5546->5548 5549 403278 18 API calls 5547->5549 5556 406c7c 5548->5556 5550 406c75 5549->5550 5554 406ca4 5550->5554 5551 406c81 5552 403198 4 API calls 5551->5552 5555 406c89 5552->5555 5553 406af0 18 API calls 5553->5556 5557 403198 4 API calls 5554->5557 5558 40322c 4 API calls 5555->5558 5556->5551 5556->5553 5556->5555 5559 406cb9 5557->5559 5558->5554 5559->5479 5561 4074ea 5560->5561 5725 407576 5561->5725 5728 407578 5561->5728 5562 407516 5563 40752a 5562->5563 5564 40748c 35 API calls 5562->5564 5567 409c34 FindResourceA 5563->5567 5564->5563 5568 409c49 5567->5568 5569 409c4e SizeofResource 5567->5569 5570 409ae8 18 API calls 5568->5570 5571 409c60 LoadResource 5569->5571 5572 409c5b 5569->5572 5570->5569 5574 409c73 LockResource 5571->5574 5575 409c6e 5571->5575 5573 409ae8 18 API calls 5572->5573 5573->5571 5577 409c84 5574->5577 5578 409c7f 5574->5578 5576 409ae8 18 API calls 5575->5576 5576->5574 5577->5485 5577->5488 5579 409ae8 18 API calls 5578->5579 5579->5577 5581 4074b4 5580->5581 5582 4074c4 5581->5582 5583 4073ec 34 API calls 5581->5583 5582->5491 5583->5582 5585 407a35 5584->5585 5586 405890 18 API calls 5585->5586 5587 407a89 5585->5587 5586->5587 5588 407918 InterlockedExchange 5587->5588 5589 407a9b 5588->5589 5590 405890 18 API calls 5589->5590 5591 407ab1 5589->5591 5590->5591 5592 407af4 5591->5592 5593 405890 18 API calls 5591->5593 5592->5494 5593->5592 5596 408b39 5594->5596 5599 408b82 5594->5599 5595 408bcd 5731 407cb8 5595->5731 5596->5599 5600 4034f0 18 API calls 5596->5600 5604 403420 18 API calls 5596->5604 5605 4031e8 18 API calls 5596->5605 5609 407cb8 35 API calls 5596->5609 5598 407cb8 35 API calls 5598->5599 5599->5595 5599->5598 5602 4034f0 18 API calls 5599->5602 5607 403420 18 API calls 5599->5607 5608 4031e8 18 API calls 5599->5608 5600->5596 5601 408be4 5603 4031b8 4 API calls 5601->5603 5602->5599 5606 408bfe 5603->5606 5604->5596 5605->5596 5624 404c20 5606->5624 5607->5599 5608->5599 5609->5596 5611 40322c 4 API calls 5610->5611 5612 409cab 5611->5612 5613 409cba MessageBoxA 5612->5613 5614 409ccf 5613->5614 5615 403198 4 API calls 5614->5615 5616 409cd7 5615->5616 5616->5475 5618 409af1 5617->5618 5619 409b09 5617->5619 5621 405890 18 API calls 5618->5621 5620 405890 18 API calls 5619->5620 5623 409b1a 5620->5623 5622 409b03 5621->5622 5622->5487 5623->5487 5753 402594 5624->5753 5626 404c2b 5626->5498 5627->5503 5629 405940 19 API calls 5628->5629 5630 405cb9 5629->5630 5631 405280 GetSystemDefaultLCID 5630->5631 5634 4052b6 5631->5634 5632 404cdc 19 API calls 5632->5634 5633 40520c 19 API calls 5633->5634 5634->5632 5634->5633 5635 4031e8 18 API calls 5634->5635 5639 405318 5634->5639 5635->5634 5636 404cdc 19 API calls 5636->5639 5637 40520c 19 API calls 5637->5639 5638 4031e8 18 API calls 5638->5639 5639->5636 5639->5637 5639->5638 5640 40539b 5639->5640 5641 4031b8 4 API calls 5640->5641 5642 4053b5 5641->5642 5643 4053c4 GetSystemDefaultLCID 5642->5643 5700 40520c GetLocaleInfoA 5643->5700 5646 4031e8 18 API calls 5647 405404 5646->5647 5648 40520c 19 API calls 5647->5648 5649 405419 5648->5649 5650 40520c 19 API calls 5649->5650 5651 40543d 5650->5651 5706 405258 GetLocaleInfoA 5651->5706 5654 405258 GetLocaleInfoA 5655 40546d 5654->5655 5656 40520c 19 API calls 5655->5656 5657 405487 5656->5657 5658 405258 GetLocaleInfoA 5657->5658 5659 4054a4 5658->5659 5660 40520c 19 API calls 5659->5660 5661 4054be 5660->5661 5662 4031e8 18 API calls 5661->5662 5663 4054cb 5662->5663 5664 40520c 19 API calls 5663->5664 5665 4054e0 5664->5665 5666 4031e8 18 API calls 5665->5666 5667 4054ed 5666->5667 5668 405258 GetLocaleInfoA 5667->5668 5669 4054fb 5668->5669 5670 40520c 19 API calls 5669->5670 5671 405515 5670->5671 5672 4031e8 18 API calls 5671->5672 5673 405522 5672->5673 5674 40520c 19 API calls 5673->5674 5675 405537 5674->5675 5676 4031e8 18 API calls 5675->5676 5677 405544 5676->5677 5678 40520c 19 API calls 5677->5678 5679 405559 5678->5679 5680 405576 5679->5680 5681 405567 5679->5681 5683 40322c 4 API calls 5680->5683 5708 40322c 5681->5708 5684 405574 5683->5684 5685 40520c 19 API calls 5684->5685 5686 405598 5685->5686 5687 4055b5 5686->5687 5688 4055a6 5686->5688 5690 403198 4 API calls 5687->5690 5689 40322c 4 API calls 5688->5689 5691 4055b3 5689->5691 5690->5691 5692 4033b4 18 API calls 5691->5692 5693 4055d7 5692->5693 5694 4033b4 18 API calls 5693->5694 5695 4055f1 5694->5695 5696 4031b8 4 API calls 5695->5696 5697 40560b 5696->5697 5698 405cf4 GetVersionExA 5697->5698 5699 405d0b 5698->5699 5699->5468 5701 405233 5700->5701 5702 405245 5700->5702 5703 403278 18 API calls 5701->5703 5704 40322c 4 API calls 5702->5704 5705 405243 5703->5705 5704->5705 5705->5646 5707 405274 5706->5707 5707->5654 5710 403230 5708->5710 5709 403252 5709->5684 5710->5709 5711 4025ac 4 API calls 5710->5711 5711->5709 5716 403414 5712->5716 5715 406fee 5715->5528 5717 403418 LoadLibraryA 5716->5717 5717->5715 5719 406af0 18 API calls 5718->5719 5720 406bf3 5719->5720 5721 406c05 5720->5721 5722 406af0 18 API calls 5720->5722 5723 403198 4 API calls 5721->5723 5722->5720 5724 406c1a 5723->5724 5724->5544 5726 407578 5725->5726 5727 4075b7 CreateFileA 5726->5727 5727->5562 5729 403414 5728->5729 5730 4075b7 CreateFileA 5729->5730 5730->5562 5732 407cd3 5731->5732 5736 407cc8 5731->5736 5737 407c5c 5732->5737 5735 405890 18 API calls 5735->5736 5736->5601 5738 407c70 5737->5738 5739 407caf 5737->5739 5738->5739 5741 407bac 5738->5741 5739->5735 5739->5736 5742 407bb7 5741->5742 5743 407bc8 5741->5743 5744 405890 18 API calls 5742->5744 5745 4074a0 34 API calls 5743->5745 5744->5743 5746 407bdc 5745->5746 5747 4074a0 34 API calls 5746->5747 5748 407bfd 5747->5748 5749 407918 InterlockedExchange 5748->5749 5750 407c12 5749->5750 5751 407c28 5750->5751 5752 405890 18 API calls 5750->5752 5751->5738 5752->5751 5754 402598 5753->5754 5757 4025a2 5753->5757 5759 401fd4 5754->5759 5755 40259e 5756 403154 4 API calls 5755->5756 5755->5757 5756->5757 5757->5626 5760 401fe8 5759->5760 5763 401fed 5759->5763 5770 401918 RtlInitializeCriticalSection 5760->5770 5762 402012 RtlEnterCriticalSection 5764 40201c 5762->5764 5763->5762 5763->5764 5769 401ff1 5763->5769 5764->5769 5777 401ee0 5764->5777 5767 402147 5767->5755 5768 40213d RtlLeaveCriticalSection 5768->5767 5769->5755 5771 40193c RtlEnterCriticalSection 5770->5771 5772 401946 5770->5772 5771->5772 5773 401964 LocalAlloc 5772->5773 5774 40197e 5773->5774 5775 4019c3 RtlLeaveCriticalSection 5774->5775 5776 4019cd 5774->5776 5775->5776 5776->5763 5781 401ef0 5777->5781 5778 401f40 5778->5767 5778->5768 5779 401f1c 5779->5778 5788 401d00 5779->5788 5781->5778 5781->5779 5783 401e58 5781->5783 5792 4016d8 5783->5792 5786 401e75 5786->5781 5789 401d4e 5788->5789 5790 401d1e 5788->5790 5789->5790 5861 401c68 5789->5861 5790->5778 5793 4016f4 5792->5793 5794 4016fe 5793->5794 5799 40174f 5793->5799 5801 40175b 5793->5801 5809 401430 5793->5809 5821 40132c 5793->5821 5817 4015c4 5794->5817 5797 40170a 5797->5801 5825 40150c 5799->5825 5801->5786 5802 401dcc 5801->5802 5835 401d80 5802->5835 5805 40132c LocalAlloc 5806 401df0 5805->5806 5807 401df8 5806->5807 5839 401b44 5806->5839 5807->5786 5810 40143f VirtualAlloc 5809->5810 5812 40146c 5810->5812 5813 40148f 5810->5813 5829 4012e4 5812->5829 5813->5793 5816 40147c VirtualFree 5816->5813 5818 40160a 5817->5818 5819 401626 VirtualAlloc 5818->5819 5820 40163a 5818->5820 5819->5818 5819->5820 5820->5797 5822 401348 5821->5822 5823 4012e4 LocalAlloc 5822->5823 5824 40138f 5823->5824 5824->5793 5828 40153b 5825->5828 5826 401594 5826->5801 5827 401568 VirtualFree 5827->5828 5828->5826 5828->5827 5832 40128c 5829->5832 5833 401298 LocalAlloc 5832->5833 5834 4012aa 5832->5834 5833->5834 5834->5813 5834->5816 5836 401d92 5835->5836 5837 401d89 5835->5837 5836->5805 5837->5836 5844 401b74 5837->5844 5840 401b52 5839->5840 5842 401b61 5839->5842 5841 401d00 9 API calls 5840->5841 5843 401b5f 5841->5843 5842->5807 5843->5807 5847 40215c 5844->5847 5846 401b95 5846->5836 5848 40217a 5847->5848 5849 402175 5847->5849 5851 4021ab RtlEnterCriticalSection 5848->5851 5854 40217e 5848->5854 5859 4021b5 5848->5859 5850 401918 4 API calls 5849->5850 5850->5848 5851->5859 5852 4021c1 5855 4022e3 RtlLeaveCriticalSection 5852->5855 5856 4022ed 5852->5856 5853 402244 5853->5854 5857 401d80 7 API calls 5853->5857 5854->5846 5855->5856 5856->5846 5857->5854 5858 402270 5858->5852 5860 401d00 7 API calls 5858->5860 5859->5852 5859->5853 5859->5858 5860->5852 5862 401c7a 5861->5862 5863 401c9d 5862->5863 5864 401caf 5862->5864 5874 40188c 5863->5874 5866 40188c 3 API calls 5864->5866 5867 401cad 5866->5867 5868 401b44 9 API calls 5867->5868 5873 401cc5 5867->5873 5869 401cd4 5868->5869 5870 401cee 5869->5870 5884 401b98 5869->5884 5889 4013a0 5870->5889 5873->5790 5875 4018b2 5874->5875 5883 40190b 5874->5883 5893 401658 5875->5893 5878 40132c LocalAlloc 5879 4018cf 5878->5879 5880 4018e6 5879->5880 5881 40150c VirtualFree 5879->5881 5882 4013a0 LocalAlloc 5880->5882 5880->5883 5881->5880 5882->5883 5883->5867 5885 401bab 5884->5885 5886 401b9d 5884->5886 5885->5870 5887 401b74 9 API calls 5886->5887 5888 401baa 5887->5888 5888->5870 5890 4013ab 5889->5890 5891 4013c6 5890->5891 5892 4012e4 LocalAlloc 5890->5892 5891->5873 5892->5891 5895 40168f 5893->5895 5894 4016cf 5894->5878 5895->5894 5896 4016a9 VirtualFree 5895->5896 5896->5895 6853 402dfa 6854 402e26 6853->6854 6855 402e0d 6853->6855 6857 402ba4 6855->6857 6858 402bc9 6857->6858 6859 402bad 6857->6859 6858->6854 6860 402bb5 RaiseException 6859->6860 6860->6858 6861 4075fa GetFileSize 6862 407626 6861->6862 6863 407616 GetLastError 6861->6863 6863->6862 6864 40761f 6863->6864 6865 40748c 35 API calls 6864->6865 6865->6862 6866 406ffb 6867 407008 SetErrorMode 6866->6867 6535 403a80 CloseHandle 6536 403a90 6535->6536 6537 403a91 GetLastError 6535->6537 6538 404283 6539 4042c3 6538->6539 6540 403154 4 API calls 6539->6540 6541 404323 6540->6541 6868 404185 6869 4041ff 6868->6869 6870 4041cc 6869->6870 6871 403154 4 API calls 6869->6871 6872 404323 6871->6872 6542 403e87 6543 403e4c 6542->6543 6544 403e67 6543->6544 6545 403e62 6543->6545 6546 403e7b 6543->6546 6549 403e78 6544->6549 6555 402674 6544->6555 6551 403cc8 6545->6551 6548 402674 4 API calls 6546->6548 6548->6549 6552 403cd6 6551->6552 6553 402674 4 API calls 6552->6553 6554 403ceb 6552->6554 6553->6554 6554->6544 6556 403154 4 API calls 6555->6556 6557 40267a 6556->6557 6557->6549 6566 407e90 6567 407eb8 VirtualFree 6566->6567 6568 407e9d 6567->6568 6571 403e95 6572 403e4c 6571->6572 6573 403e67 6572->6573 6574 403e62 6572->6574 6575 403e7b 6572->6575 6578 403e78 6573->6578 6579 402674 4 API calls 6573->6579 6576 403cc8 4 API calls 6574->6576 6577 402674 4 API calls 6575->6577 6576->6573 6577->6578 6579->6578 6580 40ac97 6589 4096fc 6580->6589 6583 402f24 5 API calls 6584 40aca1 6583->6584 6585 403198 4 API calls 6584->6585 6586 40acc0 6585->6586 6587 403198 4 API calls 6586->6587 6588 40acc8 6587->6588 6598 4056ac 6589->6598 6591 409745 6594 403198 4 API calls 6591->6594 6592 409717 6592->6591 6604 40720c 6592->6604 6596 40975a 6594->6596 6595 409735 6597 40973d MessageBoxA 6595->6597 6596->6583 6596->6584 6597->6591 6599 403154 4 API calls 6598->6599 6600 4056b1 6599->6600 6601 4056c9 6600->6601 6602 403154 4 API calls 6600->6602 6601->6592 6603 4056bf 6602->6603 6603->6592 6605 4056ac 4 API calls 6604->6605 6606 40721b 6605->6606 6607 407221 6606->6607 6608 40722f 6606->6608 6609 40322c 4 API calls 6607->6609 6611 40724b 6608->6611 6612 40723f 6608->6612 6610 40722d 6609->6610 6610->6595 6622 4032b8 6611->6622 6615 4071d0 6612->6615 6616 40322c 4 API calls 6615->6616 6617 4071df 6616->6617 6618 4071fc 6617->6618 6619 406950 CharPrevA 6617->6619 6618->6610 6620 4071eb 6619->6620 6620->6618 6621 4032fc 18 API calls 6620->6621 6621->6618 6623 403278 18 API calls 6622->6623 6624 4032c2 6623->6624 6624->6610 6625 403a97 6626 403aac 6625->6626 6627 403bbc GetStdHandle 6626->6627 6628 403b0e CreateFileA 6626->6628 6636 403ab2 6626->6636 6629 403c17 GetLastError 6627->6629 6633 403bba 6627->6633 6628->6629 6630 403b2c 6628->6630 6629->6636 6632 403b3b GetFileSize 6630->6632 6630->6633 6632->6629 6634 403b4e SetFilePointer 6632->6634 6635 403be7 GetFileType 6633->6635 6633->6636 6634->6629 6639 403b6a ReadFile 6634->6639 6635->6636 6638 403c02 CloseHandle 6635->6638 6638->6636 6639->6629 6640 403b8c 6639->6640 6640->6633 6641 403b9f SetFilePointer 6640->6641 6641->6629 6642 403bb0 SetEndOfFile 6641->6642 6642->6629 6642->6633 6647 40aaa2 6648 40aad2 6647->6648 6649 40aadc CreateWindowExA SetWindowLongA 6648->6649 6650 405194 33 API calls 6649->6650 6651 40ab5f 6650->6651 6652 4032fc 18 API calls 6651->6652 6653 40ab6d 6652->6653 6654 4032fc 18 API calls 6653->6654 6655 40ab7a 6654->6655 6656 406b7c 19 API calls 6655->6656 6657 40ab86 6656->6657 6658 4032fc 18 API calls 6657->6658 6659 40ab8f 6658->6659 6660 4099ec 43 API calls 6659->6660 6661 40aba1 6660->6661 6662 4098cc 19 API calls 6661->6662 6663 40abb4 6661->6663 6662->6663 6664 40abed 6663->6664 6665 4094d8 9 API calls 6663->6665 6666 40ac06 6664->6666 6669 40ac00 RemoveDirectoryA 6664->6669 6665->6664 6667 40ac1a 6666->6667 6668 40ac0f DestroyWindow 6666->6668 6670 40ac42 6667->6670 6671 40357c 4 API calls 6667->6671 6668->6667 6669->6666 6672 40ac38 6671->6672 6673 4025ac 4 API calls 6672->6673 6673->6670 6885 405ba2 6887 405ba4 6885->6887 6886 405be0 6890 405940 19 API calls 6886->6890 6887->6886 6888 405bf7 6887->6888 6889 405bda 6887->6889 6893 404cdc 19 API calls 6888->6893 6889->6886 6891 405c4c 6889->6891 6894 405bf3 6890->6894 6892 4059b0 33 API calls 6891->6892 6892->6894 6896 405c20 6893->6896 6895 403198 4 API calls 6894->6895 6897 405c86 6895->6897 6898 4059b0 33 API calls 6896->6898 6898->6894 6899 408da4 6900 408dc8 6899->6900 6901 408c80 18 API calls 6900->6901 6902 408dd1 6901->6902 6674 402caa 6675 403154 4 API calls 6674->6675 6676 402caf 6675->6676 6917 4011aa 6918 4011ac GetStdHandle 6917->6918 6677 4028ac 6678 402594 18 API calls 6677->6678 6679 4028b6 6678->6679 4989 40aab4 4990 40aab8 SetLastError 4989->4990 5021 409648 GetLastError 4990->5021 4993 40aad2 4995 40aadc CreateWindowExA SetWindowLongA 4993->4995 5034 405194 4995->5034 4999 40ab6d 5000 4032fc 18 API calls 4999->5000 5001 40ab7a 5000->5001 5051 406b7c GetCommandLineA 5001->5051 5004 4032fc 18 API calls 5005 40ab8f 5004->5005 5056 4099ec 5005->5056 5007 40aba1 5009 40abb4 5007->5009 5077 4098cc 5007->5077 5010 40abd4 5009->5010 5011 40abed 5009->5011 5083 4094d8 5010->5083 5013 40ac06 5011->5013 5016 40ac00 RemoveDirectoryA 5011->5016 5014 40ac1a 5013->5014 5015 40ac0f DestroyWindow 5013->5015 5017 40ac42 5014->5017 5091 40357c 5014->5091 5015->5014 5016->5013 5019 40ac38 5104 4025ac 5019->5104 5108 404c94 5021->5108 5029 4096c3 5123 4031b8 5029->5123 5035 4051a8 33 API calls 5034->5035 5036 4051a3 5035->5036 5037 4032fc 5036->5037 5038 403300 5037->5038 5039 40333f 5037->5039 5040 4031e8 5038->5040 5041 40330a 5038->5041 5039->4999 5047 403254 18 API calls 5040->5047 5048 4031fc 5040->5048 5042 403334 5041->5042 5043 40331d 5041->5043 5046 4034f0 18 API calls 5042->5046 5284 4034f0 5043->5284 5044 403228 5044->4999 5050 403322 5046->5050 5047->5048 5048->5044 5049 4025ac 4 API calls 5048->5049 5049->5044 5050->4999 5310 406af0 5051->5310 5053 406ba1 5054 403198 4 API calls 5053->5054 5055 406bbf 5054->5055 5055->5004 5324 4033b4 5056->5324 5058 409a27 5059 409a59 CreateProcessA 5058->5059 5060 409a65 5059->5060 5061 409a6c CloseHandle 5059->5061 5062 409648 35 API calls 5060->5062 5063 409a75 5061->5063 5062->5061 5064 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5063->5064 5065 409a7a MsgWaitForMultipleObjects 5064->5065 5065->5063 5066 409a91 5065->5066 5067 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5066->5067 5068 409a96 GetExitCodeProcess CloseHandle 5067->5068 5069 409ab6 5068->5069 5070 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5069->5070 5071 409abe 5070->5071 5071->5007 5072 402f24 5073 403154 4 API calls 5072->5073 5074 402f29 5073->5074 5330 402bcc 5074->5330 5076 402f51 5076->5076 5078 40990e 5077->5078 5079 4098d4 5077->5079 5078->5009 5079->5078 5080 403420 18 API calls 5079->5080 5081 409908 5080->5081 5333 408e80 5081->5333 5084 409532 5083->5084 5088 4094eb 5083->5088 5084->5011 5085 4094f3 Sleep 5085->5088 5086 409503 Sleep 5086->5088 5088->5084 5088->5085 5088->5086 5089 40951a GetLastError 5088->5089 5356 408fbc 5088->5356 5089->5084 5090 409524 GetLastError 5089->5090 5090->5084 5090->5088 5092 403591 5091->5092 5093 4035a0 5091->5093 5096 4035d0 5092->5096 5097 40359b 5092->5097 5101 4035b6 5092->5101 5094 4035b1 5093->5094 5095 4035b8 5093->5095 5098 403198 4 API calls 5094->5098 5099 4031b8 4 API calls 5095->5099 5096->5101 5102 40357c 4 API calls 5096->5102 5097->5093 5100 4035ec 5097->5100 5098->5101 5099->5101 5100->5101 5373 403554 5100->5373 5101->5019 5102->5096 5105 4025b0 5104->5105 5106 4025ba 5104->5106 5105->5106 5107 403154 4 API calls 5105->5107 5106->5017 5106->5106 5107->5106 5131 4051a8 5108->5131 5111 407284 FormatMessageA 5112 4072aa 5111->5112 5113 403278 18 API calls 5112->5113 5114 4072c7 5113->5114 5115 408da8 5114->5115 5116 408dc8 5115->5116 5274 408c80 5116->5274 5119 405890 5120 405897 5119->5120 5121 4031e8 18 API calls 5120->5121 5122 4058af 5121->5122 5122->5029 5124 4031be 5123->5124 5125 4031e3 5124->5125 5126 4025ac 4 API calls 5124->5126 5127 403198 5125->5127 5126->5124 5128 4031b7 5127->5128 5129 40319e 5127->5129 5128->4993 5128->5072 5129->5128 5130 4025ac 4 API calls 5129->5130 5130->5128 5132 4051c5 5131->5132 5139 404e58 5132->5139 5135 4051f1 5144 403278 5135->5144 5141 404e73 5139->5141 5140 404e85 5140->5135 5149 404be4 5140->5149 5141->5140 5152 404f7a 5141->5152 5159 404e4c 5141->5159 5145 403254 18 API calls 5144->5145 5146 403288 5145->5146 5147 403198 4 API calls 5146->5147 5148 4032a0 5147->5148 5148->5111 5266 405940 5149->5266 5151 404bf5 5151->5135 5153 404fd9 5152->5153 5154 404f8b 5152->5154 5156 404ff7 5153->5156 5162 404df4 5153->5162 5154->5153 5157 40505f 5154->5157 5156->5141 5157->5156 5166 404e38 5157->5166 5160 403198 4 API calls 5159->5160 5161 404e56 5160->5161 5161->5141 5163 404e02 5162->5163 5169 404bfc 5163->5169 5165 404e30 5165->5153 5196 4039a4 5166->5196 5172 4059b0 5169->5172 5171 404c15 5171->5165 5173 4059be 5172->5173 5182 404cdc LoadStringA 5173->5182 5176 405194 33 API calls 5177 4059f6 5176->5177 5185 4031e8 5177->5185 5180 4031b8 4 API calls 5181 405a1b 5180->5181 5181->5171 5183 403278 18 API calls 5182->5183 5184 404d09 5183->5184 5184->5176 5186 4031ec 5185->5186 5188 4031fc 5185->5188 5186->5188 5191 403254 5186->5191 5187 403228 5187->5180 5188->5187 5190 4025ac 4 API calls 5188->5190 5190->5187 5192 403274 5191->5192 5193 403258 5191->5193 5192->5188 5194 402594 18 API calls 5193->5194 5195 403261 5194->5195 5195->5188 5197 4039ab 5196->5197 5202 4038b4 5197->5202 5199 4039cb 5200 403198 4 API calls 5199->5200 5201 4039d2 5200->5201 5201->5156 5203 4038d5 5202->5203 5204 4038c8 5202->5204 5206 403934 5203->5206 5207 4038db 5203->5207 5230 403780 5204->5230 5208 403993 5206->5208 5209 40393b 5206->5209 5210 4038e1 5207->5210 5211 4038ee 5207->5211 5213 4037f4 3 API calls 5208->5213 5214 403941 5209->5214 5215 40394b 5209->5215 5237 403894 5210->5237 5212 403894 6 API calls 5211->5212 5218 4038fc 5212->5218 5216 4038d0 5213->5216 5252 403864 5214->5252 5220 4037f4 3 API calls 5215->5220 5216->5199 5242 4037f4 5218->5242 5221 40395d 5220->5221 5223 403864 23 API calls 5221->5223 5225 403976 5223->5225 5224 403917 5248 40374c 5224->5248 5227 40374c VariantClear 5225->5227 5229 40398b 5227->5229 5228 40392c 5228->5199 5229->5199 5231 4037f0 5230->5231 5236 403744 5230->5236 5231->5216 5232 403793 VariantClear 5232->5236 5233 403198 4 API calls 5233->5236 5234 4037dc VariantCopyInd 5234->5231 5234->5236 5235 4037ab 5235->5216 5236->5230 5236->5232 5236->5233 5236->5234 5236->5235 5257 4036b8 5237->5257 5240 40374c VariantClear 5241 4038a9 5240->5241 5241->5216 5243 403845 VariantChangeTypeEx 5242->5243 5244 40380a VariantChangeTypeEx 5242->5244 5247 403832 5243->5247 5245 403826 5244->5245 5246 40374c VariantClear 5245->5246 5246->5247 5247->5224 5249 403766 5248->5249 5250 403759 5248->5250 5249->5228 5250->5249 5251 403779 VariantClear 5250->5251 5251->5228 5263 40369c SysStringLen 5252->5263 5255 40374c VariantClear 5256 403882 5255->5256 5256->5216 5258 4036cb 5257->5258 5259 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5258->5259 5260 4036db 5258->5260 5261 40372e 5259->5261 5262 4036ed MultiByteToWideChar SysAllocStringLen 5260->5262 5261->5240 5262->5261 5264 403610 21 API calls 5263->5264 5265 4036b3 5264->5265 5265->5255 5267 40594c 5266->5267 5268 404cdc 19 API calls 5267->5268 5269 405972 5268->5269 5270 4031e8 18 API calls 5269->5270 5271 40597d 5270->5271 5272 403198 4 API calls 5271->5272 5273 405992 5272->5273 5273->5151 5275 403198 4 API calls 5274->5275 5277 408cb1 5274->5277 5275->5277 5276 4031b8 4 API calls 5278 408d69 5276->5278 5279 408cc8 5277->5279 5280 403278 18 API calls 5277->5280 5282 4032fc 18 API calls 5277->5282 5283 408cdc 5277->5283 5278->5119 5281 4032fc 18 API calls 5279->5281 5280->5277 5281->5283 5282->5277 5283->5276 5285 4034fd 5284->5285 5292 40352d 5284->5292 5286 403526 5285->5286 5288 403509 5285->5288 5289 403254 18 API calls 5286->5289 5287 403198 4 API calls 5290 403517 5287->5290 5293 4025c4 5288->5293 5289->5292 5290->5050 5292->5287 5294 4025ca 5293->5294 5295 4025dc 5294->5295 5297 403154 5294->5297 5295->5290 5295->5295 5298 403164 5297->5298 5299 40318c TlsGetValue 5297->5299 5298->5295 5300 403196 5299->5300 5301 40316f 5299->5301 5300->5295 5305 40310c 5301->5305 5303 403174 TlsGetValue 5304 403184 5303->5304 5304->5295 5306 403120 LocalAlloc 5305->5306 5307 403116 5305->5307 5308 40313e TlsSetValue 5306->5308 5309 403132 5306->5309 5307->5306 5308->5309 5309->5303 5311 406b1c 5310->5311 5312 403278 18 API calls 5311->5312 5313 406b29 5312->5313 5320 403420 5313->5320 5315 406b31 5316 4031e8 18 API calls 5315->5316 5317 406b49 5316->5317 5318 403198 4 API calls 5317->5318 5319 406b6b 5318->5319 5319->5053 5321 403426 5320->5321 5323 403437 5320->5323 5322 403254 18 API calls 5321->5322 5321->5323 5322->5323 5323->5315 5325 4033bc 5324->5325 5326 403254 18 API calls 5325->5326 5327 4033cf 5326->5327 5328 4031e8 18 API calls 5327->5328 5329 4033f7 5328->5329 5331 402bd5 RaiseException 5330->5331 5332 402be6 5330->5332 5331->5332 5332->5076 5334 408e8e 5333->5334 5336 408ea6 5334->5336 5346 408e18 5334->5346 5337 408e18 18 API calls 5336->5337 5338 408eca 5336->5338 5337->5338 5349 407918 5338->5349 5340 408ee5 5341 408e18 18 API calls 5340->5341 5343 408ef8 5340->5343 5341->5343 5342 408e18 18 API calls 5342->5343 5343->5342 5344 403278 18 API calls 5343->5344 5345 408f27 5343->5345 5344->5343 5345->5078 5347 405890 18 API calls 5346->5347 5348 408e29 5347->5348 5348->5336 5352 4078c4 5349->5352 5353 4078d6 5352->5353 5354 4078e7 5352->5354 5355 4078db InterlockedExchange 5353->5355 5354->5340 5355->5354 5364 408f70 5356->5364 5358 408fd2 5359 408fd6 5358->5359 5360 408ff2 DeleteFileA GetLastError 5358->5360 5359->5088 5361 409010 5360->5361 5370 408fac 5361->5370 5365 408f7a 5364->5365 5366 408f7e 5364->5366 5365->5358 5367 408fa0 SetLastError 5366->5367 5368 408f87 Wow64DisableWow64FsRedirection 5366->5368 5369 408f9b 5367->5369 5368->5369 5369->5358 5371 408fb1 Wow64RevertWow64FsRedirection 5370->5371 5372 408fbb 5370->5372 5371->5372 5372->5088 5374 403566 5373->5374 5376 403578 5374->5376 5377 403604 5374->5377 5376->5100 5378 40357c 5377->5378 5381 4035d0 5378->5381 5382 40359b 5378->5382 5385 4035a0 5378->5385 5387 4035b6 5378->5387 5379 4035b1 5383 403198 4 API calls 5379->5383 5380 4035b8 5384 4031b8 4 API calls 5380->5384 5381->5387 5388 40357c 4 API calls 5381->5388 5382->5385 5386 4035ec 5382->5386 5383->5387 5384->5387 5385->5379 5385->5380 5386->5387 5389 403554 4 API calls 5386->5389 5387->5374 5388->5381 5389->5386 6680 401ab9 6681 401a96 6680->6681 6682 401aa9 RtlDeleteCriticalSection 6681->6682 6683 401a9f RtlLeaveCriticalSection 6681->6683 6683->6682

                                                                                                              Executed Functions

                                                                                                              Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 132 409b78-409b9c GetSystemInfo VirtualQuery 133 409ba2 132->133 134 409c2c-409c33 132->134 135 409c21-409c26 133->135 135->134 136 409ba4-409bab 135->136 137 409c0d-409c1f VirtualQuery 136->137 138 409bad-409bb1 136->138 137->134 137->135 138->137 139 409bb3-409bbb 138->139 140 409bcc-409bdd VirtualProtect 139->140 141 409bbd-409bc0 139->141 143 409be1-409be3 140->143 144 409bdf 140->144 141->140 142 409bc2-409bc5 141->142 142->140 146 409bc7-409bca 142->146 145 409bf2-409bf5 143->145 144->143 147 409be5-409bee call 409b70 145->147 148 409bf7-409bf9 145->148 146->140 146->143 147->145 148->137 150 409bfb-409c08 VirtualProtect 148->150 150->137
                                                                                                              APIs
                                                                                                              • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                                              • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                                              • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 2441996862-0
                                                                                                              • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                                              • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                                              • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                                              • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                                              Function 0040520C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 2299586839-0
                                                                                                              • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                              • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                                              • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                              • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED
                                                                                                              Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                              • API String ID: 3256987805-3653653586
                                                                                                              • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                              • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                                              • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                              • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                                                                              Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020F1E18), ref: 0040966C
                                                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                                              • SetWindowLongA.USER32(00010434,000000FC,00409960), ref: 0040AB15
                                                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                                              • DestroyWindow.USER32(00010434,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                              • API String ID: 3757039580-3001827809
                                                                                                              • Opcode ID: 512ba3d6f2e9f1c3867d88fe9cc8f5790ae5845b184f1ae6f41adfa2939ac233
                                                                                                              • Instruction ID: be79b44adbed8f80b53e5612ba2c07cab25871a7655baedeeb07d74425ea1546
                                                                                                              • Opcode Fuzzy Hash: 512ba3d6f2e9f1c3867d88fe9cc8f5790ae5845b184f1ae6f41adfa2939ac233
                                                                                                              • Instruction Fuzzy Hash: 83410070604204DBDB10EBA9EE89B9D37A5EB49304F10467FF114B72E2D7B89845CB9D
                                                                                                              Function 00401918 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 48memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                              • String ID: $WJ$0AJ$TWJ$dWJ
                                                                                                              • API String ID: 730355536-3019137393
                                                                                                              • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                              • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                                              • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                              • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                                              Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                              • API String ID: 1646373207-2130885113
                                                                                                              • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                                              • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                                              • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                                              • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E
                                                                                                              Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                                              • SetWindowLongA.USER32(00010434,000000FC,00409960), ref: 0040AB15
                                                                                                                • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                                                • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020F1E18,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                                                • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020F1E18,00409AD8,00000000), ref: 00409A70
                                                                                                                • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                                                • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                                                • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020F1E18,00409AD8), ref: 00409AA4
                                                                                                              • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                                              • DestroyWindow.USER32(00010434,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                              • API String ID: 3586484885-3001827809
                                                                                                              • Opcode ID: abbbb59459200108d21b408613378a390e3e047840070f8330146cd7c6fc736f
                                                                                                              • Instruction ID: 3ba592a6bb5a586105fd12ff7794ab8e81bfb13978b6693ff680cbbbd79f3ebd
                                                                                                              • Opcode Fuzzy Hash: abbbb59459200108d21b408613378a390e3e047840070f8330146cd7c6fc736f
                                                                                                              • Instruction Fuzzy Hash: EF410B71604204DFD714EBA9EE89B5A37B5EB48314F20467BF104BB2E1D7B8A844CB9D
                                                                                                              Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020F1E18,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020F1E18,00409AD8,00000000), ref: 00409A70
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                                              • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020F1E18,00409AD8), ref: 00409AA4
                                                                                                                • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020F1E18), ref: 0040966C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                                              • String ID: D
                                                                                                              • API String ID: 3356880605-2746444292
                                                                                                              • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                                              • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                                              • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                                              • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69
                                                                                                              Function 00401FD4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 152 401fd4-401fe6 153 401fe8 call 401918 152->153 154 401ffb-402010 152->154 160 401fed-401fef 153->160 156 402012-402017 RtlEnterCriticalSection 154->156 157 40201c-402025 154->157 156->157 158 402027 157->158 159 40202c-402032 157->159 158->159 161 402038-40203c 159->161 162 4020cb-4020d1 159->162 160->154 163 401ff1-401ff6 160->163 166 402041-402050 161->166 167 40203e 161->167 164 4020d3-4020e0 162->164 165 40211d-40211f call 401ee0 162->165 168 40214f-402158 163->168 169 4020e2-4020ea 164->169 170 4020ef-40211b call 402f54 164->170 176 402124-40213b 165->176 166->162 171 402052-402060 166->171 167->166 169->170 170->168 174 402062-402066 171->174 175 40207c-402080 171->175 178 402068 174->178 179 40206b-40207a 174->179 181 402082 175->181 182 402085-4020a0 175->182 183 402147 176->183 184 40213d-402142 RtlLeaveCriticalSection 176->184 178->179 185 4020a2-4020c6 call 402f54 179->185 181->182 182->185 184->183 185->168
                                                                                                              APIs
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                                                • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                              • String ID: 0AJ
                                                                                                              • API String ID: 296031713-2755783240
                                                                                                              • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                              • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                                              • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                              • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48
                                                                                                              Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message
                                                                                                              • String ID: .tmp$y@
                                                                                                              • API String ID: 2030045667-2396523267
                                                                                                              • Opcode ID: d4ac7463dbf5d161e361ca9bc326db0ca40d9a64499bf0d63171a4d21a2c3052
                                                                                                              • Instruction ID: b6b31011a0dd284aafbaa2c2e49cce084e53b2f1e69b481334740b61ed9710c2
                                                                                                              • Opcode Fuzzy Hash: d4ac7463dbf5d161e361ca9bc326db0ca40d9a64499bf0d63171a4d21a2c3052
                                                                                                              • Instruction Fuzzy Hash: DA41A171704200DFD715EF65EED1A1A77A5E749304B61853AF804B73E1C679AC10CBAD
                                                                                                              Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message
                                                                                                              • String ID: .tmp$y@
                                                                                                              • API String ID: 2030045667-2396523267
                                                                                                              • Opcode ID: 0c9aecb76b7a3e7a11760fd8a915a701fd69e196c0d41de26bbb48f3063f32c7
                                                                                                              • Instruction ID: ebe7ed5bd99e4afc73068d402fc5cc7c846ae42ea211bad011db29787866ec42
                                                                                                              • Opcode Fuzzy Hash: 0c9aecb76b7a3e7a11760fd8a915a701fd69e196c0d41de26bbb48f3063f32c7
                                                                                                              • Instruction Fuzzy Hash: 4B41A070700200DFC711EF65DED6A5A77A5EB49304B61463AF804B73E2CAB9AC10CBAD
                                                                                                              Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                              • String ID: .tmp
                                                                                                              • API String ID: 1375471231-2986845003
                                                                                                              • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                                              • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                                              • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                                              • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65
                                                                                                              Function 00401430 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 313 401430-40143d 314 401446-40144c 313->314 315 40143f-401444 313->315 316 401452-40146a VirtualAlloc 314->316 315->316 317 40146c-40147a call 4012e4 316->317 318 40148f-401492 316->318 317->318 321 40147c-40148d VirtualFree 317->321 321->318
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$AllocFree
                                                                                                              • String ID: dWJ
                                                                                                              • API String ID: 2087232378-3547126259
                                                                                                              • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                              • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                                              • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                              • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                                              Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 387 407749-40774a 388 4076dc-4076e6 WriteFile 387->388 389 40774c-40776f 387->389 391 4076e8-4076ea call 40748c 388->391 392 4076ef-4076f2 388->392 390 407770-407785 389->390 395 407787 390->395 396 4077f9 390->396 391->392 393 407700-407704 392->393 394 4076f4-4076fb call 4073ec 392->394 394->393 399 40778a-40778f 395->399 400 4077fd-407802 395->400 401 40783b-40783d 396->401 402 4077fb 396->402 405 407803-407819 399->405 407 407791-407792 399->407 400->405 403 407841-407843 401->403 402->400 406 40785b-40785c 403->406 405->406 417 40781b 405->417 408 4078d6-4078eb call 407890 InterlockedExchange 406->408 409 40785e-40788c 406->409 410 407724-407741 407->410 411 407794-4077b4 407->411 432 407912-407917 408->432 433 4078ed-407910 408->433 426 407820-407823 409->426 428 407890-407893 409->428 413 407743 410->413 414 4077b5 410->414 411->414 418 407746-407747 413->418 419 4077b9 413->419 422 4077b6-4077b7 414->422 423 4077f7-4077f8 414->423 424 40781e-40781f 417->424 418->387 425 4077bb-4077cd 418->425 419->425 422->419 423->396 424->426 425->403 430 4077cf-4077d4 425->430 429 407898 426->429 431 407824 426->431 428->429 434 40789a 429->434 430->401 438 4077d6-4077de 430->438 431->434 436 407825 431->436 433->432 433->433 437 40789f 434->437 439 407896-407897 436->439 440 407826-40782d 436->440 441 4078a1 437->441 438->390 449 4077e0 438->449 439->429 440->441 443 40782f 440->443 444 4078a3 441->444 445 4078ac 441->445 447 407832-407833 443->447 448 4078a5-4078aa 443->448 444->448 450 4078ae-4078af 445->450 447->401 447->424 448->450 449->423 450->437 451 4078b1-4078bd 450->451 451->429 452 4078bf-4078c0 451->452
                                                                                                              APIs
                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3934441357-0
                                                                                                              • Opcode ID: 0d97ba09832f2edb8a9261174954e33b910c8f4b3fb34c4f4c7315014af2e0c8
                                                                                                              • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                                              • Opcode Fuzzy Hash: 0d97ba09832f2edb8a9261174954e33b910c8f4b3fb34c4f4c7315014af2e0c8
                                                                                                              • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B
                                                                                                              Function 00401658 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 453 401658-40168d 454 4016c7-4016cd 453->454 455 40168f-40169a 454->455 456 4016cf-4016d4 454->456 457 40169c 455->457 458 40169f-4016a1 455->458 457->458 459 4016a3 458->459 460 4016a5-4016a7 458->460 459->460 461 4016c5 460->461 462 4016a9-4016b9 VirtualFree 460->462 461->454 462->461 463 4016bb 462->463 463->461
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID: dWJ
                                                                                                              • API String ID: 1263568516-3547126259
                                                                                                              • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                              • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                                              • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                              • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                                              Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLibraryLoadMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2987862817-0
                                                                                                              • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                              • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                                              • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                              • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                                              Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                                              • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$FilePointer
                                                                                                              • String ID:
                                                                                                              • API String ID: 1156039329-0
                                                                                                              • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                              • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                                              • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                              • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                                                                              Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 1948546556-0
                                                                                                              • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                              • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                                              • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                              • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                                              Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                                              • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$FilePointer
                                                                                                              • String ID:
                                                                                                              • API String ID: 1156039329-0
                                                                                                              • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                              • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                                              • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                              • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                                              Function 00405280 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                                                • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                                                • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 1658689577-0
                                                                                                              • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                              • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                                              • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                              • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                                              Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                              • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                                              • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                              • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                                              Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                              • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                                              • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                              • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                                              Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                              • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                                              • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                              • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                                              Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 442123175-0
                                                                                                              • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                              • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                                              • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                              • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                                              Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FormatMessage
                                                                                                              • String ID:
                                                                                                              • API String ID: 1306739567-0
                                                                                                              • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                              • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                                              • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                              • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                                              Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetEndOfFile.KERNEL32(?,02108000,0040AA59,00000000), ref: 004076B3
                                                                                                                • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 734332943-0
                                                                                                              • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                              • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                                              • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                              • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                                              Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2340568224-0
                                                                                                              • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                              • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                                              • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                              • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                                              Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2340568224-0
                                                                                                              • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                              • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                                              • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                              • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                                              Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CharPrev
                                                                                                              • String ID:
                                                                                                              • API String ID: 122130370-0
                                                                                                              • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                              • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                                              • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                              • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                                              • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                              • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                                              Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 2962429428-0
                                                                                                              • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                              • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                                              • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                              • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                                              Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1263568516-0
                                                                                                              • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                              • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                                              • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                              • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

                                                                                                              Non-executed Functions

                                                                                                              Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                              • String ID: SeShutdownPrivilege
                                                                                                              • API String ID: 107509674-3733053543
                                                                                                              • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                              • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                                              • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                              • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                                              Function 00409C34 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                                              • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                                              • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                                              • String ID:
                                                                                                              • API String ID: 3473537107-0
                                                                                                              • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                                              • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                                              • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                                              • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                                              Function 00405258 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 2299586839-0
                                                                                                              • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                              • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                                              • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                              • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                                              Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: SystemTime
                                                                                                              • String ID:
                                                                                                              • API String ID: 2656138-0
                                                                                                              • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                              • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                                              • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                              • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                                              Function 00405CF4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Version
                                                                                                              • String ID:
                                                                                                              • API String ID: 1889659487-0
                                                                                                              • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                              • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                                              • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                              • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                                              Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                                              • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                                              • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                                              • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                                              Function 004019DC Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                                              • LocalFree.KERNEL32(004A4130,00000000,00401AB4), ref: 00401A1B
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,004A4130,00000000,00401AB4), ref: 00401A3A
                                                                                                              • LocalFree.KERNEL32(004A5130,?,00000000,00008000,004A4130,00000000,00401AB4), ref: 00401A79
                                                                                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                                              • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                              • String ID: $WJ$0AJ$0QJ$TWJ$dWJ
                                                                                                              • API String ID: 3782394904-3748099930
                                                                                                              • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                              • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                                              • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                              • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                                              Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressCloseHandleModuleProc
                                                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                              • API String ID: 4190037839-2401316094
                                                                                                              • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                              • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                                              • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                              • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                                              Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                                              • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                              • String ID:
                                                                                                              • API String ID: 1694776339-0
                                                                                                              • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                              • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                                              • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                              • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                                              Function 004053C4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                                                • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                                • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale$DefaultSystem
                                                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                              • API String ID: 1044490935-665933166
                                                                                                              • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                              • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                                              • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                              • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                                              Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                                              • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExitMessageProcess
                                                                                                              • String ID: Error$Runtime error at 00000000$9@
                                                                                                              • API String ID: 1220098344-1503883590
                                                                                                              • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                              • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                                              • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                              • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                                              Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                                                              • String ID:
                                                                                                              • API String ID: 262959230-0
                                                                                                              • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                              • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                                              • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                              • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                                              Function 00401494 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,TWJ,?,?,?,00401800), ref: 004014B2
                                                                                                              • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,TWJ,?,?,?,00401800), ref: 004014D7
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,TWJ,?,?,?,00401800), ref: 004014FD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$Alloc$Free
                                                                                                              • String ID: TWJ$dWJ
                                                                                                              • API String ID: 3668210933-1245926133
                                                                                                              • Opcode ID: 53fb4fb4dead2bf9bf87b2a1222c08a4795459efffcdd9b971e00269c0061a0c
                                                                                                              • Instruction ID: d5dc587d839e3be782c9b7b9e1ff5a952950f17ebcccd457e3de013d7af40e21
                                                                                                              • Opcode Fuzzy Hash: 53fb4fb4dead2bf9bf87b2a1222c08a4795459efffcdd9b971e00269c0061a0c
                                                                                                              • Instruction Fuzzy Hash: 7CF0C8717403106AEB316E694CC5F533AD89F85754F1040BAFA0DFF3DAD6745800826C
                                                                                                              Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue
                                                                                                              • String ID: )q@
                                                                                                              • API String ID: 3660427363-2284170586
                                                                                                              • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                              • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                                              • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                              • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                                              Function 00409C88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                                              Strings
                                                                                                              • Setup, xrefs: 00409CAD
                                                                                                              • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message
                                                                                                              • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                                              • API String ID: 2030045667-3271211647
                                                                                                              • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                                              • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                                              • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                                              • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                                              Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                                              • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CommandHandleLineModule
                                                                                                              • String ID: U1hd.@
                                                                                                              • API String ID: 2123368496-2904493091
                                                                                                              • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                              • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                                              • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                              • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                                              Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2904774853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2904693620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904828075.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2904897641.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastSleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 1458359878-0
                                                                                                              • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                                              • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                                              • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                                              • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:15.9%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:4.2%
                                                                                                              Total number of Nodes:2000
                                                                                                              Total number of Limit Nodes:61
                                                                                                              execution_graph 50018 40cc44 50021 406f20 WriteFile 50018->50021 50022 406f3d 50021->50022 50023 402584 50024 402598 50023->50024 50025 4025ab 50023->50025 50053 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50024->50053 50027 4025c2 RtlEnterCriticalSection 50025->50027 50028 4025cc 50025->50028 50027->50028 50039 4023b4 13 API calls 50028->50039 50030 40259d 50030->50025 50031 4025a1 50030->50031 50032 4025d9 50035 402635 50032->50035 50036 40262b RtlLeaveCriticalSection 50032->50036 50033 4025d5 50033->50032 50040 402088 50033->50040 50036->50035 50037 4025e5 50037->50032 50054 402210 9 API calls 50037->50054 50039->50033 50041 40209c 50040->50041 50042 4020af 50040->50042 50061 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50041->50061 50044 4020c6 RtlEnterCriticalSection 50042->50044 50047 4020d0 50042->50047 50044->50047 50045 4020a1 50045->50042 50046 4020a5 50045->50046 50050 402106 50046->50050 50047->50050 50055 401f94 50047->50055 50050->50037 50051 4021f1 RtlLeaveCriticalSection 50052 4021fb 50051->50052 50052->50037 50053->50030 50054->50032 50056 401fa4 50055->50056 50057 401fd0 50056->50057 50060 401ff4 50056->50060 50062 401f0c 50056->50062 50057->50060 50067 401db4 50057->50067 50060->50051 50060->50052 50061->50045 50071 40178c 50062->50071 50065 401f29 50065->50056 50068 401e02 50067->50068 50069 401dd2 50067->50069 50068->50069 50099 401d1c 50068->50099 50069->50060 50074 4017a8 50071->50074 50073 4017b2 50090 401678 VirtualAlloc 50073->50090 50074->50073 50076 40180f 50074->50076 50079 401803 50074->50079 50082 4014e4 50074->50082 50091 4013e0 LocalAlloc 50074->50091 50076->50065 50081 401e80 9 API calls 50076->50081 50078 4017be 50078->50076 50092 4015c0 VirtualFree 50079->50092 50081->50065 50083 4014f3 VirtualAlloc 50082->50083 50085 401520 50083->50085 50086 401543 50083->50086 50093 401398 50085->50093 50086->50074 50089 401530 VirtualFree 50089->50086 50090->50078 50091->50074 50092->50076 50096 401340 50093->50096 50097 40134c LocalAlloc 50096->50097 50098 40135e 50096->50098 50097->50098 50098->50086 50098->50089 50100 401d2e 50099->50100 50101 401d51 50100->50101 50102 401d63 50100->50102 50112 401940 50101->50112 50104 401940 3 API calls 50102->50104 50106 401d61 50104->50106 50105 401d79 50105->50069 50106->50105 50122 401bf8 9 API calls 50106->50122 50108 401d88 50109 401da2 50108->50109 50123 401c4c 9 API calls 50108->50123 50124 401454 LocalAlloc 50109->50124 50113 401966 50112->50113 50121 4019bf 50112->50121 50125 40170c 50113->50125 50117 401983 50119 40199a 50117->50119 50130 4015c0 VirtualFree 50117->50130 50119->50121 50131 401454 LocalAlloc 50119->50131 50121->50106 50122->50108 50123->50109 50124->50105 50127 401743 50125->50127 50126 401783 50129 4013e0 LocalAlloc 50126->50129 50127->50126 50128 40175d VirtualFree 50127->50128 50128->50127 50129->50117 50130->50119 50131->50121 50132 499280 50190 403344 50132->50190 50134 49928e 50193 4056a0 50134->50193 50136 499293 50196 40632c GetModuleHandleA GetProcAddress 50136->50196 50140 49929d 50204 40995c 50140->50204 50471 4032fc 50190->50471 50192 403349 GetModuleHandleA GetCommandLineA 50192->50134 50195 4056db 50193->50195 50472 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50193->50472 50195->50136 50197 406348 50196->50197 50198 40634f GetProcAddress 50196->50198 50197->50198 50199 406365 GetProcAddress 50198->50199 50200 40635e 50198->50200 50201 406374 SetProcessDEPPolicy 50199->50201 50202 406378 50199->50202 50200->50199 50201->50202 50203 4063d4 6F551CD0 50202->50203 50203->50140 50473 409034 50204->50473 50471->50192 50472->50195 50545 408ccc 50473->50545 50476 4085ec GetSystemDefaultLCID 50479 408622 50476->50479 50477 406dfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50477->50479 50478 408578 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 50478->50479 50479->50477 50479->50478 50480 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50479->50480 50484 408684 50479->50484 50480->50479 50481 406dfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50481->50484 50482 408578 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 50482->50484 50483 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50483->50484 50484->50481 50484->50482 50484->50483 50485 408707 50484->50485 50586 403420 50485->50586 50488 408730 GetSystemDefaultLCID 50590 408578 GetLocaleInfoA 50488->50590 50491 403450 4 API calls 50492 408770 50491->50492 50493 408578 5 API calls 50492->50493 50494 408785 50493->50494 50495 408578 5 API calls 50494->50495 50496 4087a9 50495->50496 50596 4085c4 GetLocaleInfoA 50496->50596 50499 4085c4 GetLocaleInfoA 50500 4087d9 50499->50500 50501 408578 5 API calls 50500->50501 50502 4087f3 50501->50502 50503 4085c4 GetLocaleInfoA 50502->50503 50504 408810 50503->50504 50505 408578 5 API calls 50504->50505 50506 40882a 50505->50506 50507 403450 4 API calls 50506->50507 50508 408837 50507->50508 50509 408578 5 API calls 50508->50509 50510 40884c 50509->50510 50511 403450 4 API calls 50510->50511 50512 408859 50511->50512 50513 4085c4 GetLocaleInfoA 50512->50513 50514 408867 50513->50514 50515 408578 5 API calls 50514->50515 50516 408881 50515->50516 50517 403450 4 API calls 50516->50517 50518 40888e 50517->50518 50519 408578 5 API calls 50518->50519 50520 4088a3 50519->50520 50521 403450 4 API calls 50520->50521 50522 4088b0 50521->50522 50523 408578 5 API calls 50522->50523 50524 4088c5 50523->50524 50525 4088e2 50524->50525 50526 4088d3 50524->50526 50528 403494 4 API calls 50525->50528 50604 403494 50526->50604 50529 4088e0 50528->50529 50530 408578 5 API calls 50529->50530 50531 408904 50530->50531 50532 408921 50531->50532 50533 408912 50531->50533 50535 403400 4 API calls 50532->50535 50534 403494 4 API calls 50533->50534 50536 40891f 50534->50536 50535->50536 50546 408cd8 50545->50546 50553 406dfc LoadStringA 50546->50553 50566 4034e0 50553->50566 50556 403450 50557 403454 50556->50557 50560 403464 50556->50560 50559 4034bc 4 API calls 50557->50559 50557->50560 50558 403490 50562 403400 50558->50562 50559->50560 50560->50558 50581 402660 50560->50581 50563 40341f 50562->50563 50564 403406 50562->50564 50563->50476 50564->50563 50565 402660 4 API calls 50564->50565 50565->50563 50571 4034bc 50566->50571 50568 4034f0 50569 403400 4 API calls 50568->50569 50570 403508 50569->50570 50570->50556 50572 4034c0 50571->50572 50573 4034dc 50571->50573 50576 402648 50572->50576 50573->50568 50575 4034c9 50575->50568 50577 40264c 50576->50577 50578 402656 50576->50578 50577->50578 50580 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50577->50580 50578->50575 50578->50578 50580->50578 50582 402664 50581->50582 50583 40266e 50581->50583 50582->50583 50585 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50582->50585 50583->50558 50583->50583 50585->50583 50588 403426 50586->50588 50587 40344b 50587->50488 50588->50587 50589 402660 4 API calls 50588->50589 50589->50588 50591 4085b1 50590->50591 50592 40859f 50590->50592 50593 403494 4 API calls 50591->50593 50594 4034e0 4 API calls 50592->50594 50595 4085af 50593->50595 50594->50595 50595->50491 50597 4085e0 50596->50597 50597->50499 50606 403498 50604->50606 50605 4034ba 50605->50529 50606->50605 50607 402660 4 API calls 50606->50607 50607->50605 52902 441408 52903 441411 52902->52903 52904 44141f WriteFile 52902->52904 52903->52904 52905 44142a 52904->52905 52906 40ce8c 52907 40ce94 52906->52907 52908 40cec2 52907->52908 52909 40ceb7 52907->52909 52913 40cebe 52907->52913 52911 40cec6 52908->52911 52912 40ced8 52908->52912 52920 406298 GlobalHandle GlobalUnlock GlobalFree 52909->52920 52921 40626c GlobalAlloc GlobalLock 52911->52921 52919 40627c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 52912->52919 52916 40ced4 52917 40cee8 52916->52917 52917->52913 52918 408ccc 5 API calls 52917->52918 52918->52913 52919->52917 52920->52913 52921->52916 52922 41364c SetWindowLongA GetWindowLongA 52923 4136a9 SetPropA SetPropA 52922->52923 52924 41368b GetWindowLongA 52922->52924 52928 41f3ac 52923->52928 52924->52923 52925 41369a SetWindowLongA 52924->52925 52925->52923 52933 415280 52928->52933 52940 423c1c 52928->52940 53034 423a94 52928->53034 52929 4136f9 52934 41528d 52933->52934 52935 4152f3 52934->52935 52936 4152e8 52934->52936 52939 4152f1 52934->52939 53041 424b9c 13 API calls 52935->53041 52936->52939 53042 41506c 46 API calls 52936->53042 52939->52929 52943 423c52 52940->52943 52963 423c73 52943->52963 53043 423b78 52943->53043 52944 423cfc 52948 423d03 52944->52948 52949 423d37 52944->52949 52945 423c9d 52946 423ca3 52945->52946 52947 423d60 52945->52947 52950 423cd5 52946->52950 52951 423ca8 52946->52951 52954 423d72 52947->52954 52955 423d7b 52947->52955 52956 423d09 52948->52956 52993 423fc1 52948->52993 52952 423d42 52949->52952 52953 4240aa IsIconic 52949->52953 52950->52963 52982 423cee 52950->52982 52983 423e4f 52950->52983 52957 423e06 52951->52957 52958 423cae 52951->52958 52959 4240e6 52952->52959 52960 423d4b 52952->52960 52953->52963 52965 4240be GetFocus 52953->52965 52961 423d88 52954->52961 52962 423d79 52954->52962 53052 4241a4 11 API calls 52955->53052 52966 423f23 SendMessageA 52956->52966 52967 423d17 52956->52967 53057 423b94 NtdllDefWindowProc_A 52957->53057 52969 423cb7 52958->52969 52970 423e2e PostMessageA 52958->52970 53074 424860 WinHelpA PostMessageA 52959->53074 52973 4240fd 52960->52973 52991 423cd0 52960->52991 52974 4241ec 11 API calls 52961->52974 53053 423b94 NtdllDefWindowProc_A 52962->53053 52963->52929 52965->52963 52968 4240cf 52965->52968 52966->52963 52967->52963 52967->52991 53011 423f66 52967->53011 53073 41f004 GetCurrentThreadId EnumThreadWindows 52968->53073 52977 423cc0 52969->52977 52978 423eb5 52969->52978 53058 423b94 NtdllDefWindowProc_A 52970->53058 52980 424106 52973->52980 52981 42411b 52973->52981 52974->52963 52986 423cc9 52977->52986 52987 423dde IsIconic 52977->52987 52988 423ebe 52978->52988 52989 423eef 52978->52989 52979 423e49 52979->52963 52990 4244e4 5 API calls 52980->52990 53075 42453c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 52981->53075 52982->52991 52992 423e1b 52982->52992 53047 423b94 NtdllDefWindowProc_A 52983->53047 52985 4240d6 52985->52963 52996 4240de SetFocus 52985->52996 52986->52991 52997 423da1 52986->52997 52999 423dfa 52987->52999 53000 423dee 52987->53000 53060 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 52988->53060 53048 423b94 NtdllDefWindowProc_A 52989->53048 52990->52963 52991->52963 53051 423b94 NtdllDefWindowProc_A 52991->53051 53003 424188 12 API calls 52992->53003 52993->52963 53008 423fe7 IsWindowEnabled 52993->53008 52996->52963 52997->52963 53054 422c5c ShowWindow PostMessageA PostQuitMessage 52997->53054 53056 423b94 NtdllDefWindowProc_A 52999->53056 53055 423bd0 15 API calls 53000->53055 53003->52963 53004 423e55 53005 423e93 53004->53005 53006 423e71 53004->53006 53013 423a94 6 API calls 53005->53013 53059 423b24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53006->53059 53007 423ec6 53026 423ed8 53007->53026 53061 41ef68 53007->53061 53008->52963 53022 423ff5 53008->53022 53011->52963 53017 423f88 IsWindowEnabled 53011->53017 53019 423e9b PostMessageA 53013->53019 53015 423ef5 53016 423f0d 53015->53016 53049 41eeb4 GetCurrentThreadId EnumThreadWindows 53015->53049 53024 423a94 6 API calls 53016->53024 53017->52963 53025 423f96 53017->53025 53018 423e79 PostMessageA 53018->52963 53019->52963 53027 423ffc IsWindowVisible 53022->53027 53024->52963 53068 412320 7 API calls 53025->53068 53067 423b94 NtdllDefWindowProc_A 53026->53067 53027->52963 53029 42400a GetFocus 53027->53029 53069 4181f0 53029->53069 53031 42401f SetFocus 53071 415250 53031->53071 53035 423b1d 53034->53035 53036 423aa4 53034->53036 53035->52929 53036->53035 53037 423aaa EnumWindows 53036->53037 53037->53035 53038 423ac6 GetWindow GetWindowLongA 53037->53038 53076 423a2c GetWindow 53037->53076 53039 423ae5 53038->53039 53039->53035 53040 423b11 SetWindowPos 53039->53040 53040->53035 53040->53039 53041->52939 53042->52939 53044 423b82 53043->53044 53045 423b8d 53043->53045 53044->53045 53046 408730 7 API calls 53044->53046 53045->52944 53045->52945 53046->53045 53047->53004 53048->53015 53050 41ef39 53049->53050 53050->53016 53051->52963 53052->52963 53053->52963 53054->52963 53055->52963 53056->52963 53057->52963 53058->52979 53059->53018 53060->53007 53062 41ef70 IsWindow 53061->53062 53063 41ef9c 53061->53063 53064 41ef8a 53062->53064 53065 41ef7f EnableWindow 53062->53065 53063->53026 53064->53062 53064->53063 53066 402660 4 API calls 53064->53066 53065->53064 53066->53064 53067->52963 53068->52963 53070 4181fa 53069->53070 53070->53031 53072 41526b SetFocus 53071->53072 53072->52963 53073->52985 53074->52979 53075->52979 53077 423a4d GetWindowLongA 53076->53077 53078 423a59 53076->53078 53077->53078 53079 40cd10 53080 40cd22 53079->53080 53081 40cd1d 53079->53081 53083 406f58 CloseHandle 53081->53083 53083->53080 53084 416b52 53085 416bfa 53084->53085 53086 416b6a 53084->53086 53103 41532c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53085->53103 53088 416b84 SendMessageA 53086->53088 53089 416b78 53086->53089 53090 416bd8 53088->53090 53091 416b82 CallWindowProcA 53089->53091 53092 416b9e 53089->53092 53091->53090 53100 41a068 GetSysColor 53092->53100 53095 416ba9 SetTextColor 53096 416bbe 53095->53096 53101 41a068 GetSysColor 53096->53101 53098 416bc3 SetBkColor 53102 41a6f0 GetSysColor CreateBrushIndirect 53098->53102 53100->53095 53101->53098 53102->53090 53103->53090 53104 49219c 53105 4921d6 53104->53105 53106 4921d8 53105->53106 53107 4921e2 53105->53107 53304 4090a8 MessageBeep 53106->53304 53109 49221a 53107->53109 53110 4921f1 53107->53110 53117 492229 53109->53117 53118 492252 53109->53118 53112 44706c 18 API calls 53110->53112 53111 403420 4 API calls 53113 49282e 53111->53113 53114 4921fe 53112->53114 53115 403400 4 API calls 53113->53115 53305 406bc0 53114->53305 53119 492836 53115->53119 53121 44706c 18 API calls 53117->53121 53124 49228a 53118->53124 53125 492261 53118->53125 53123 492236 53121->53123 53313 406c10 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53123->53313 53131 492299 53124->53131 53132 4922b2 53124->53132 53128 44706c 18 API calls 53125->53128 53127 492241 53314 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53127->53314 53130 49226e 53128->53130 53315 406c44 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53130->53315 53317 407290 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 53131->53317 53139 4922c1 53132->53139 53140 4922e6 53132->53140 53135 492279 53316 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53135->53316 53136 4922a1 53318 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53136->53318 53141 44706c 18 API calls 53139->53141 53143 49231e 53140->53143 53144 4922f5 53140->53144 53142 4922ce 53141->53142 53319 4072b8 53142->53319 53151 49232d 53143->53151 53152 492356 53143->53152 53146 44706c 18 API calls 53144->53146 53148 492302 53146->53148 53147 4922d6 53322 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53147->53322 53150 42c814 5 API calls 53148->53150 53153 49230d 53150->53153 53154 44706c 18 API calls 53151->53154 53157 4923a2 53152->53157 53158 492365 53152->53158 53323 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53153->53323 53156 49233a 53154->53156 53324 407208 8 API calls 53156->53324 53164 4923da 53157->53164 53165 4923b1 53157->53165 53161 44706c 18 API calls 53158->53161 53160 492345 53325 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53160->53325 53163 492374 53161->53163 53166 44706c 18 API calls 53163->53166 53172 4923e9 53164->53172 53173 492412 53164->53173 53167 44706c 18 API calls 53165->53167 53168 492385 53166->53168 53169 4923be 53167->53169 53326 491ea0 8 API calls 53168->53326 53171 42c8b4 5 API calls 53169->53171 53175 4923c9 53171->53175 53176 44706c 18 API calls 53172->53176 53180 49244a 53173->53180 53181 492421 53173->53181 53174 492391 53327 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53174->53327 53328 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53175->53328 53179 4923f6 53176->53179 53329 42c8dc 53179->53329 53187 492459 53180->53187 53188 492482 53180->53188 53184 44706c 18 API calls 53181->53184 53186 49242e 53184->53186 53338 42c90c LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53186->53338 53190 44706c 18 API calls 53187->53190 53195 4924ba 53188->53195 53196 492491 53188->53196 53192 492466 53190->53192 53191 492439 53339 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53191->53339 53194 42c93c 5 API calls 53192->53194 53197 492471 53194->53197 53201 4924c9 53195->53201 53204 492506 53195->53204 53198 44706c 18 API calls 53196->53198 53340 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53197->53340 53200 49249e 53198->53200 53341 42c964 53200->53341 53203 44706c 18 API calls 53201->53203 53206 4924d8 53203->53206 53208 492558 53204->53208 53209 492515 53204->53209 53211 44706c 18 API calls 53206->53211 53218 4925cb 53208->53218 53219 492567 53208->53219 53212 44706c 18 API calls 53209->53212 53210 4921dd 53210->53111 53213 4924e9 53211->53213 53214 492528 53212->53214 53347 42c508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53213->53347 53216 44706c 18 API calls 53214->53216 53220 492539 53216->53220 53217 4924f5 53348 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53217->53348 53226 49260a 53218->53226 53227 4925da 53218->53227 53292 44706c 53219->53292 53349 492098 12 API calls 53220->53349 53225 492547 53350 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53225->53350 53237 492649 53226->53237 53238 492619 53226->53238 53231 44706c 18 API calls 53227->53231 53229 492582 53233 4925bb 53229->53233 53234 492586 53229->53234 53232 4925e7 53231->53232 53353 45297c Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 53232->53353 53352 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53233->53352 53236 44706c 18 API calls 53234->53236 53241 492595 53236->53241 53246 492688 53237->53246 53247 492658 53237->53247 53242 44706c 18 API calls 53238->53242 53240 4925f4 53354 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53240->53354 53297 452cf4 53241->53297 53245 492626 53242->53245 53355 4527e4 53245->53355 53257 4926d0 53246->53257 53258 492697 53246->53258 53251 44706c 18 API calls 53247->53251 53248 492605 53248->53210 53249 4925a5 53351 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53249->53351 53254 492665 53251->53254 53253 492633 53362 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53253->53362 53363 452e84 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 53254->53363 53263 492718 53257->53263 53264 4926df 53257->53264 53260 44706c 18 API calls 53258->53260 53259 492672 53364 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53259->53364 53262 4926a6 53260->53262 53265 44706c 18 API calls 53262->53265 53269 49272b 53263->53269 53276 4927e1 53263->53276 53267 44706c 18 API calls 53264->53267 53266 4926b7 53265->53266 53365 4472ec 53266->53365 53268 4926ee 53267->53268 53270 44706c 18 API calls 53268->53270 53272 44706c 18 API calls 53269->53272 53273 4926ff 53270->53273 53274 492758 53272->53274 53279 4472ec 5 API calls 53273->53279 53275 44706c 18 API calls 53274->53275 53277 49276f 53275->53277 53276->53210 53374 447010 18 API calls 53276->53374 53371 407dec 7 API calls 53277->53371 53279->53210 53280 4927fa 53281 42e8d8 5 API calls 53280->53281 53282 492802 53281->53282 53375 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53282->53375 53285 492791 53286 44706c 18 API calls 53285->53286 53287 4927a5 53286->53287 53372 408518 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53287->53372 53289 4927b0 53373 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53289->53373 53291 4927bc 53293 447074 53292->53293 53376 4360ec 53293->53376 53295 447093 53296 42c618 7 API calls 53295->53296 53296->53229 53298 452798 2 API calls 53297->53298 53300 452d0d 53298->53300 53299 452d11 53299->53249 53300->53299 53301 452d35 MoveFileA GetLastError 53300->53301 53302 4527d4 Wow64RevertWow64FsRedirection 53301->53302 53303 452d5b 53302->53303 53303->53249 53304->53210 53306 406bcf 53305->53306 53307 406bf1 53306->53307 53308 406be8 53306->53308 53310 403778 4 API calls 53307->53310 53309 403400 4 API calls 53308->53309 53311 406bef 53309->53311 53310->53311 53312 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53311->53312 53312->53210 53313->53127 53314->53210 53315->53135 53316->53210 53317->53136 53318->53210 53320 403738 53319->53320 53321 4072c2 SetCurrentDirectoryA 53320->53321 53321->53147 53322->53210 53323->53210 53324->53160 53325->53210 53326->53174 53327->53210 53328->53210 53402 42c684 53329->53402 53332 42c8f0 53334 403400 4 API calls 53332->53334 53333 42c8f9 53335 403778 4 API calls 53333->53335 53336 42c8f7 53334->53336 53335->53336 53337 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53336->53337 53337->53210 53338->53191 53339->53210 53340->53210 53342 42c7ac IsDBCSLeadByte 53341->53342 53343 42c974 53342->53343 53344 403778 4 API calls 53343->53344 53345 42c985 53344->53345 53346 4473c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53345->53346 53346->53210 53347->53217 53348->53210 53349->53225 53350->53210 53351->53210 53352->53210 53353->53240 53354->53248 53356 452798 2 API calls 53355->53356 53357 4527fa 53356->53357 53358 4527fe 53357->53358 53359 45281c CreateDirectoryA GetLastError 53357->53359 53358->53253 53360 4527d4 Wow64RevertWow64FsRedirection 53359->53360 53361 452842 53360->53361 53361->53253 53362->53210 53363->53259 53364->53210 53366 4472f4 53365->53366 53405 436454 VariantClear 53366->53405 53368 447317 53369 44732e 53368->53369 53406 408c1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53368->53406 53369->53210 53371->53285 53372->53289 53373->53291 53374->53280 53375->53210 53377 4360f8 53376->53377 53378 43611a 53376->53378 53377->53378 53396 408c1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53377->53396 53379 43619d 53378->53379 53381 436161 53378->53381 53382 436191 53378->53382 53383 436185 53378->53383 53384 436179 53378->53384 53385 43616d 53378->53385 53401 408c1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53379->53401 53397 403510 53381->53397 53400 4040e8 18 API calls 53382->53400 53387 403494 4 API calls 53383->53387 53384->53295 53391 403510 4 API calls 53385->53391 53392 43618e 53387->53392 53390 4361ae 53390->53295 53395 436176 53391->53395 53392->53295 53393 43619a 53393->53295 53395->53295 53396->53378 53398 4034e0 4 API calls 53397->53398 53399 40351d 53398->53399 53399->53295 53400->53393 53401->53390 53403 42c68c IsDBCSLeadByte 53402->53403 53404 42c68b 53403->53404 53404->53332 53404->53333 53405->53368 53406->53369 53407 416654 53408 416661 53407->53408 53409 4166bb 53407->53409 53414 416560 CreateWindowExA 53408->53414 53410 416668 SetPropA SetPropA 53410->53409 53411 41669b 53410->53411 53412 4166ae SetWindowPos 53411->53412 53412->53409 53414->53410 53415 46bc10 53416 46bc44 53415->53416 53448 46c0ad 53415->53448 53418 46bc80 53416->53418 53421 46bcdc 53416->53421 53422 46bcba 53416->53422 53423 46bccb 53416->53423 53424 46bc98 53416->53424 53425 46bca9 53416->53425 53417 403400 4 API calls 53420 46c0ec 53417->53420 53419 468d38 19 API calls 53418->53419 53418->53448 53435 46bd18 53419->53435 53426 403400 4 API calls 53420->53426 53692 46bba0 46 API calls 53421->53692 53471 46b7d0 53422->53471 53691 46b990 68 API calls 53423->53691 53689 46b520 48 API calls 53424->53689 53690 46b688 43 API calls 53425->53690 53432 46c0f4 53426->53432 53433 46bc9e 53433->53418 53433->53448 53434 46bd5b 53437 468c74 19 API calls 53434->53437 53438 414af8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53434->53438 53439 46be7e 53434->53439 53442 42cbd0 6 API calls 53434->53442 53444 46b02c 23 API calls 53434->53444 53445 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53434->53445 53434->53448 53449 46bed7 53434->53449 53467 46bf9f 53434->53467 53506 46ad98 53434->53506 53616 483568 53434->53616 53713 46b2dc 19 API calls 53434->53713 53435->53434 53435->53448 53693 495478 53435->53693 53437->53434 53438->53434 53712 483a70 124 API calls 53439->53712 53442->53434 53443 46be99 53443->53448 53444->53434 53445->53434 53448->53417 53513 469fe0 53449->53513 53450 46b02c 23 API calls 53450->53448 53452 46bf3d 53453 403450 4 API calls 53452->53453 53454 46bf4d 53453->53454 53455 46bfa9 53454->53455 53456 46bf59 53454->53456 53459 46b02c 23 API calls 53455->53459 53461 46c06b 53455->53461 53457 457fc4 24 API calls 53456->53457 53458 46bf78 53457->53458 53460 457fc4 24 API calls 53458->53460 53462 46bfc3 53459->53462 53460->53467 53463 46c004 53462->53463 53464 46bfec SetActiveWindow 53462->53464 53574 46a388 53463->53574 53464->53463 53466 46c02e 53466->53467 53468 46c04e 53466->53468 53467->53450 53469 46aea8 21 API calls 53468->53469 53470 46c063 53469->53470 53714 46c524 53471->53714 53474 46b952 53475 403420 4 API calls 53474->53475 53477 46b96c 53475->53477 53476 414af8 4 API calls 53478 46b81e 53476->53478 53479 403400 4 API calls 53477->53479 53504 46b93e 53478->53504 53717 45602c 13 API calls 53478->53717 53482 46b974 53479->53482 53481 403450 4 API calls 53481->53474 53483 403400 4 API calls 53482->53483 53484 46b97c 53483->53484 53484->53418 53485 46b901 53485->53474 53491 42cd58 7 API calls 53485->53491 53485->53504 53487 46b8a1 53487->53474 53487->53485 53719 42cd58 53487->53719 53489 46b83c 53489->53487 53490 4666a8 19 API calls 53489->53490 53493 46b86b 53490->53493 53494 46b917 53491->53494 53492 4514cc 4 API calls 53495 46b8f1 53492->53495 53496 4666a8 19 API calls 53493->53496 53497 4514cc 4 API calls 53494->53497 53494->53504 53722 47f454 43 API calls 53495->53722 53499 46b87c 53496->53499 53500 46b92e 53497->53500 53501 45149c 4 API calls 53499->53501 53723 47f454 43 API calls 53500->53723 53503 46b891 53501->53503 53718 47f454 43 API calls 53503->53718 53504->53474 53504->53481 53507 46ada9 53506->53507 53508 46ada4 53506->53508 53929 469b44 46 API calls 53507->53929 53511 46ada7 53508->53511 53844 46a804 53508->53844 53511->53434 53512 46adb1 53512->53434 53514 403400 4 API calls 53513->53514 53515 46a00e 53514->53515 53945 47e184 53515->53945 53517 46a071 53518 46a075 53517->53518 53519 46a08e 53517->53519 53520 4668a8 20 API calls 53518->53520 53521 46a07f 53519->53521 53952 495368 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53519->53952 53520->53521 53523 46a1ad 53521->53523 53524 46a218 53521->53524 53573 46a322 53521->53573 53527 403494 4 API calls 53523->53527 53528 403494 4 API calls 53524->53528 53525 403420 4 API calls 53529 46a34c 53525->53529 53526 46a0aa 53526->53521 53530 46a0b2 53526->53530 53531 46a1ba 53527->53531 53532 46a225 53528->53532 53529->53452 53533 46b02c 23 API calls 53530->53533 53534 40357c 4 API calls 53531->53534 53535 40357c 4 API calls 53532->53535 53540 46a0bf 53533->53540 53536 46a1c7 53534->53536 53537 46a232 53535->53537 53538 40357c 4 API calls 53536->53538 53539 40357c 4 API calls 53537->53539 53541 46a1d4 53538->53541 53542 46a23f 53539->53542 53545 46a100 53540->53545 53546 46a0e8 SetActiveWindow 53540->53546 53543 40357c 4 API calls 53541->53543 53544 40357c 4 API calls 53542->53544 53547 46a1e1 53543->53547 53548 46a24c 53544->53548 53953 42f5d4 53545->53953 53546->53545 53549 4668a8 20 API calls 53547->53549 53550 40357c 4 API calls 53548->53550 53551 46a1ef 53549->53551 53552 46a25a 53550->53552 53555 40357c 4 API calls 53551->53555 53553 414b28 4 API calls 53552->53553 53557 46a216 53553->53557 53556 46a1f8 53555->53556 53559 40357c 4 API calls 53556->53559 53560 466be0 11 API calls 53557->53560 53562 46a205 53559->53562 53567 46a27c 53560->53567 53564 414b28 4 API calls 53562->53564 53563 46a151 53565 46aea8 21 API calls 53563->53565 53564->53557 53566 46a183 53565->53566 53566->53452 53568 414b28 4 API calls 53567->53568 53567->53573 53569 46a2df 53568->53569 53970 496228 MulDiv 53569->53970 53571 46a2fc 53572 414b28 4 API calls 53571->53572 53572->53573 53573->53525 53579 46a3b4 53574->53579 53576 46a3ef 53583 46a564 53576->53583 53589 46a403 53576->53589 53577 46a6e4 53581 403400 4 API calls 53577->53581 53578 46a58b 53585 414b28 4 API calls 53578->53585 53579->53576 54026 47e48c 53579->54026 53580 46a541 53586 46a55c 53580->53586 53593 402660 4 API calls 53580->53593 53587 46a709 53581->53587 53582 402648 4 API calls 53582->53589 53583->53577 53583->53578 53584 46a5a1 53583->53584 53591 414b28 4 API calls 53584->53591 53590 46a59f 53585->53590 53586->53466 53587->53466 53588 402660 4 API calls 53588->53589 53589->53582 53589->53588 53599 46a476 53589->53599 54042 496228 MulDiv 53590->54042 53591->53590 53592 46a50d 53594 457fc4 24 API calls 53592->53594 53593->53586 53594->53580 53597 46a5c2 53600 466be0 11 API calls 53597->53600 53598 457fc4 24 API calls 53598->53599 53599->53580 53599->53592 53599->53598 53602 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53599->53602 54041 403ba4 7 API calls 53599->54041 53601 46a5f6 53600->53601 54043 466be8 KiUserCallbackDispatcher 53601->54043 53602->53599 53604 46a609 53605 466be0 11 API calls 53604->53605 53606 46a61a 53605->53606 53607 414b28 4 API calls 53606->53607 53608 46a64d 53607->53608 54044 496228 MulDiv 53608->54044 53610 46a66a 53611 414b28 4 API calls 53610->53611 53612 46a6a1 53611->53612 54045 496228 MulDiv 53612->54045 53614 46a6be 53615 414b28 4 API calls 53614->53615 53615->53577 53617 46c524 49 API calls 53616->53617 53618 4835ab 53617->53618 53619 4835b4 53618->53619 54263 408bf0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53618->54263 53621 414af8 4 API calls 53619->53621 53622 4835c4 53621->53622 53623 403450 4 API calls 53622->53623 53624 4835d1 53623->53624 54073 46c87c 53624->54073 53627 4835e1 53629 414af8 4 API calls 53627->53629 53630 4835f1 53629->53630 53631 403450 4 API calls 53630->53631 53632 4835fe 53631->53632 53633 46992c SendMessageA 53632->53633 53634 483617 53633->53634 53635 483668 53634->53635 54265 47a29c 23 API calls 53634->54265 53637 4241ec 11 API calls 53635->53637 53638 483672 53637->53638 53639 483698 53638->53639 53640 483683 SetActiveWindow 53638->53640 54102 482998 53639->54102 53640->53639 53689->53433 53690->53418 53691->53418 53692->53418 55795 43da3c 53693->55795 53696 49552a 53698 495539 53696->53698 55833 494ca0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53696->55833 53697 4954a4 55800 431c44 53697->55800 53698->53434 53707 4954ee 55831 494d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53707->55831 53709 495502 55832 433e44 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53709->55832 53711 495522 53711->53434 53712->53443 53713->53434 53724 46c5bc 53714->53724 53717->53489 53718->53487 53838 42ccdc 53719->53838 53722->53485 53723->53504 53725 414af8 4 API calls 53724->53725 53726 46c5f0 53725->53726 53785 466940 53726->53785 53729 414b28 4 API calls 53730 46c602 53729->53730 53731 46c611 53730->53731 53736 46c62a 53730->53736 53814 47f454 43 API calls 53731->53814 53733 46c625 53734 403420 4 API calls 53733->53734 53735 46b802 53734->53735 53735->53474 53735->53476 53737 46c671 53736->53737 53738 46c658 53736->53738 53739 46c6d6 53737->53739 53752 46c675 53737->53752 53815 47f454 43 API calls 53738->53815 53817 42cb5c CharNextA 53739->53817 53742 46c6e5 53743 46c6e9 53742->53743 53747 46c702 53742->53747 53818 47f454 43 API calls 53743->53818 53745 46c6bd 53816 47f454 43 API calls 53745->53816 53746 46c726 53819 47f454 43 API calls 53746->53819 53747->53746 53794 466ab0 53747->53794 53752->53745 53752->53747 53755 46c73f 53756 403778 4 API calls 53755->53756 53757 46c755 53756->53757 53802 42c9ac 53757->53802 53760 46c766 53820 466b3c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53760->53820 53761 46c797 53763 42c8dc 5 API calls 53761->53763 53765 46c7a2 53763->53765 53764 46c779 53766 4514cc 4 API calls 53764->53766 53767 42c40c 5 API calls 53765->53767 53768 46c786 53766->53768 53769 46c7ad 53767->53769 53821 47f454 43 API calls 53768->53821 53771 42cbd0 6 API calls 53769->53771 53772 46c7b8 53771->53772 53806 46c550 53772->53806 53774 46c7c0 53775 42cd58 7 API calls 53774->53775 53776 46c7c8 53775->53776 53777 46c7e2 53776->53777 53778 46c7cc 53776->53778 53777->53733 53780 46c7ec 53777->53780 53822 47f454 43 API calls 53778->53822 53781 46c7f4 GetDriveTypeA 53780->53781 53781->53733 53782 46c7ff 53781->53782 53823 47f454 43 API calls 53782->53823 53784 46c813 53784->53733 53786 46695a 53785->53786 53788 42cbd0 6 API calls 53786->53788 53789 403450 4 API calls 53786->53789 53790 406bc0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53786->53790 53791 4669a3 53786->53791 53824 42cabc 53786->53824 53788->53786 53789->53786 53790->53786 53792 403420 4 API calls 53791->53792 53793 4669bd 53792->53793 53793->53729 53795 466aba 53794->53795 53796 466acd 53795->53796 53835 42cb4c CharNextA 53795->53835 53796->53746 53798 466ae0 53796->53798 53799 466aea 53798->53799 53800 466b17 53799->53800 53836 42cb4c CharNextA 53799->53836 53800->53746 53800->53755 53803 42ca05 53802->53803 53804 42c9c2 53802->53804 53803->53760 53803->53761 53804->53803 53837 42cb4c CharNextA 53804->53837 53807 46c5b5 53806->53807 53808 46c563 53806->53808 53807->53774 53808->53807 53809 41eeb4 2 API calls 53808->53809 53810 46c573 53809->53810 53811 46c58d SHPathPrepareForWriteA 53810->53811 53812 41ef68 6 API calls 53811->53812 53813 46c5ad 53812->53813 53813->53774 53814->53733 53815->53733 53816->53733 53817->53742 53818->53733 53819->53733 53820->53764 53821->53733 53822->53733 53823->53784 53825 403494 4 API calls 53824->53825 53828 42cacc 53825->53828 53826 403744 4 API calls 53826->53828 53828->53826 53831 42cb02 53828->53831 53833 42c454 IsDBCSLeadByte 53828->53833 53829 42cb46 53829->53786 53831->53829 53832 4037b8 4 API calls 53831->53832 53834 42c454 IsDBCSLeadByte 53831->53834 53832->53831 53833->53828 53834->53831 53835->53795 53836->53799 53837->53804 53839 42cbd0 6 API calls 53838->53839 53840 42ccfe 53839->53840 53841 42cd06 GetFileAttributesA 53840->53841 53842 403400 4 API calls 53841->53842 53843 42cd23 53842->53843 53843->53485 53843->53492 53846 46a84b 53844->53846 53845 46acc3 53847 46acde 53845->53847 53848 46ad0f 53845->53848 53846->53845 53849 46a906 53846->53849 53853 403494 4 API calls 53846->53853 53852 403494 4 API calls 53847->53852 53850 403494 4 API calls 53848->53850 53851 46a927 53849->53851 53855 46a968 53849->53855 53854 46ad1d 53850->53854 53856 403494 4 API calls 53851->53856 53857 46acec 53852->53857 53858 46a88a 53853->53858 53942 469220 12 API calls 53854->53942 53859 403400 4 API calls 53855->53859 53861 46a935 53856->53861 53941 469220 12 API calls 53857->53941 53863 414af8 4 API calls 53858->53863 53864 46a966 53859->53864 53865 414af8 4 API calls 53861->53865 53867 46a8ab 53863->53867 53887 46aa4c 53864->53887 53930 46992c 53864->53930 53869 46a956 53865->53869 53866 46acfa 53868 403400 4 API calls 53866->53868 53870 403634 4 API calls 53867->53870 53872 46ad40 53868->53872 53874 403634 4 API calls 53869->53874 53875 46a8bb 53870->53875 53879 403400 4 API calls 53872->53879 53873 46aad4 53877 403400 4 API calls 53873->53877 53874->53864 53876 414af8 4 API calls 53875->53876 53880 46a8cf 53876->53880 53881 46aad2 53877->53881 53878 46a988 53882 46a9c6 53878->53882 53883 46a98e 53878->53883 53884 46ad48 53879->53884 53880->53849 53889 414af8 4 API calls 53880->53889 53936 469d68 43 API calls 53881->53936 53888 403400 4 API calls 53882->53888 53885 403494 4 API calls 53883->53885 53886 403420 4 API calls 53884->53886 53890 46a99c 53885->53890 53891 46ad55 53886->53891 53887->53873 53892 46aa93 53887->53892 53893 46a9c4 53888->53893 53894 46a8f6 53889->53894 53896 47c6f0 43 API calls 53890->53896 53891->53511 53897 403494 4 API calls 53892->53897 53902 469c20 43 API calls 53893->53902 53898 403634 4 API calls 53894->53898 53900 46a9b4 53896->53900 53901 46aaa1 53897->53901 53898->53849 53899 46aafd 53908 46ab5e 53899->53908 53909 46ab08 53899->53909 53903 403634 4 API calls 53900->53903 53904 414af8 4 API calls 53901->53904 53906 46a9ed 53902->53906 53903->53893 53905 46aac2 53904->53905 53907 403634 4 API calls 53905->53907 53912 46aa4e 53906->53912 53913 46a9f8 53906->53913 53907->53881 53910 403400 4 API calls 53908->53910 53911 403494 4 API calls 53909->53911 53914 46ab66 53910->53914 53918 46ab16 53911->53918 53915 403400 4 API calls 53912->53915 53916 403494 4 API calls 53913->53916 53917 46ab5c 53914->53917 53928 46ac0f 53914->53928 53915->53887 53921 46aa06 53916->53921 53917->53914 53937 495368 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53917->53937 53918->53914 53918->53917 53923 403634 4 API calls 53918->53923 53920 46ab89 53920->53928 53938 495614 18 API calls 53920->53938 53921->53887 53924 403634 4 API calls 53921->53924 53923->53918 53924->53921 53926 46acb0 53940 429154 SendMessageA SendMessageA 53926->53940 53939 429104 SendMessageA 53928->53939 53929->53512 53943 42a050 SendMessageA 53930->53943 53932 46993b 53933 46995b 53932->53933 53944 42a050 SendMessageA 53932->53944 53933->53878 53935 46994b 53935->53878 53936->53899 53937->53920 53938->53928 53939->53926 53940->53845 53941->53866 53942->53866 53943->53932 53944->53935 53946 47e19d 53945->53946 53949 47e1da 53945->53949 53971 455db4 53946->53971 53949->53517 53951 47e1f1 53951->53517 53952->53526 53954 42f5e0 53953->53954 53955 42f603 GetActiveWindow GetFocus 53954->53955 53956 41eeb4 2 API calls 53955->53956 53957 42f61a 53956->53957 53958 42f637 53957->53958 53959 42f627 RegisterClassA 53957->53959 53960 42f6c6 SetFocus 53958->53960 53961 42f645 CreateWindowExA 53958->53961 53959->53958 53963 403400 4 API calls 53960->53963 53961->53960 53962 42f678 53961->53962 54020 42428c 53962->54020 53965 42f6e2 53963->53965 53969 495614 18 API calls 53965->53969 53966 42f6a0 53967 42f6a8 CreateWindowExA 53966->53967 53967->53960 53968 42f6be ShowWindow 53967->53968 53968->53960 53969->53563 53970->53571 53972 455dc5 53971->53972 53973 455dd2 53972->53973 53974 455dc9 53972->53974 54005 455b98 29 API calls 53973->54005 53997 455ab8 53974->53997 53977 455dcf 53977->53949 53978 47ddf4 53977->53978 53979 47def0 53978->53979 53986 47de34 53978->53986 53982 479a9c 19 API calls 53979->53982 53987 47df41 53979->53987 53993 47de93 53979->53993 53980 403420 4 API calls 53981 47dfd3 53980->53981 53981->53951 53982->53979 53983 479bdc 19 API calls 53983->53986 53985 47c6f0 43 API calls 53985->53987 53986->53979 53986->53983 53990 47c6f0 43 API calls 53986->53990 53986->53993 53995 47de9c 53986->53995 54014 479d58 53986->54014 53987->53979 53987->53985 53989 454174 20 API calls 53987->53989 53992 47dedd 53987->53992 53988 47c6f0 43 API calls 53988->53995 53989->53987 53990->53986 53991 42c93c 5 API calls 53991->53995 53992->53993 53993->53980 53994 42c964 5 API calls 53994->53995 53995->53986 53995->53988 53995->53991 53995->53992 53995->53994 54018 47db00 52 API calls 53995->54018 53998 42de2c RegOpenKeyExA 53997->53998 53999 455ad5 53998->53999 54000 455b23 53999->54000 54006 4559ec 53999->54006 54000->53977 54003 4559ec 6 API calls 54004 455b04 RegCloseKey 54003->54004 54004->53977 54005->53977 54011 42dd68 54006->54011 54008 403420 4 API calls 54010 455a9e 54008->54010 54009 455a14 54009->54008 54010->54003 54012 42dc10 6 API calls 54011->54012 54013 42dd71 54012->54013 54013->54009 54016 479d64 54014->54016 54015 479d7f 54015->53986 54016->54015 54019 4533b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54016->54019 54018->53995 54019->54015 54021 4242be 54020->54021 54022 42429e GetWindowTextA 54020->54022 54024 403494 4 API calls 54021->54024 54023 4034e0 4 API calls 54022->54023 54025 4242bc 54023->54025 54024->54025 54025->53966 54027 402648 4 API calls 54026->54027 54028 47e4b0 54027->54028 54029 47ddf4 61 API calls 54028->54029 54030 47e4d3 54029->54030 54031 47e4e0 54030->54031 54032 47e568 54030->54032 54069 4953c4 18 API calls 54031->54069 54034 47e57c 54032->54034 54046 47e21c 54032->54046 54035 47e5a8 54034->54035 54039 402660 4 API calls 54034->54039 54038 402660 4 API calls 54035->54038 54036 47e522 54036->53576 54040 47e5b2 54038->54040 54039->54034 54040->53576 54041->53599 54042->53597 54043->53604 54044->53610 54045->53614 54047 403494 4 API calls 54046->54047 54048 47e24b 54047->54048 54049 42c93c 5 API calls 54048->54049 54060 47e2af 54048->54060 54050 47e266 54049->54050 54070 42ca10 7 API calls 54050->54070 54051 47e2bf 54053 403400 4 API calls 54051->54053 54056 47e3f9 54053->54056 54054 47e32b 54054->54051 54055 47e380 54054->54055 54072 453c80 11 API calls 54054->54072 54063 402648 4 API calls 54055->54063 54058 403420 4 API calls 54056->54058 54061 47e406 54058->54061 54059 47e375 54062 403494 4 API calls 54059->54062 54060->54051 54060->54054 54064 402660 4 API calls 54060->54064 54061->54034 54062->54055 54065 47e394 54063->54065 54064->54060 54066 47e3bc MultiByteToWideChar 54065->54066 54066->54051 54067 47e271 54067->54060 54071 42e8b0 CharNextA 54067->54071 54069->54036 54070->54067 54071->54067 54072->54059 54074 46c8a5 54073->54074 54075 414af8 4 API calls 54074->54075 54085 46c8f2 54074->54085 54077 46c8bb 54075->54077 54076 403420 4 API calls 54078 46c99c 54076->54078 54272 4669cc 6 API calls 54077->54272 54078->53627 54264 408bf0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54078->54264 54080 46c8c3 54081 414b28 4 API calls 54080->54081 54082 46c8d1 54081->54082 54083 46c8de 54082->54083 54086 46c8f7 54082->54086 54273 47f454 43 API calls 54083->54273 54085->54076 54087 46c90f 54086->54087 54088 466ab0 CharNextA 54086->54088 54274 47f454 43 API calls 54087->54274 54090 46c90b 54088->54090 54090->54087 54091 46c925 54090->54091 54092 46c941 54091->54092 54093 46c92b 54091->54093 54095 42c9ac CharNextA 54092->54095 54275 47f454 43 API calls 54093->54275 54096 46c94e 54095->54096 54096->54085 54276 466b3c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54096->54276 54098 46c965 54099 4514cc 4 API calls 54098->54099 54100 46c972 54099->54100 54277 47f454 43 API calls 54100->54277 54103 4829e9 54102->54103 54104 4829bb 54102->54104 54106 47600c 54103->54106 54278 4953c4 18 API calls 54104->54278 54107 457db8 24 API calls 54106->54107 54108 476058 54107->54108 54109 4072b8 SetCurrentDirectoryA 54108->54109 54110 476062 54109->54110 54279 46e408 54110->54279 54114 476072 54287 45a1f0 54114->54287 54117 47c6f0 43 API calls 54118 4760c9 54117->54118 54120 4760d9 54118->54120 54709 4533b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54118->54709 54121 4760fb 54120->54121 54710 4533b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54120->54710 54123 479260 20 API calls 54121->54123 54124 476106 54123->54124 54291 47992c 54124->54291 54127 403450 4 API calls 54128 47612d 54127->54128 54129 403450 4 API calls 54128->54129 54130 47613b 54129->54130 54295 46eb5c 54130->54295 54265->53635 54272->54080 54273->54085 54274->54085 54275->54085 54276->54098 54277->54085 54278->54103 54280 46e47b 54279->54280 54282 46e425 54279->54282 54283 46e480 54280->54283 54281 479bdc 19 API calls 54281->54282 54282->54280 54282->54281 54284 46e4a6 54283->54284 54718 44fb90 54284->54718 54286 46e502 54286->54114 54288 45a1f6 54287->54288 54289 45a4d8 4 API calls 54288->54289 54290 45a212 54289->54290 54290->54117 54292 479939 54291->54292 54293 4797d4 19 API calls 54292->54293 54294 47610e 54292->54294 54293->54294 54294->54127 54296 46eb9a 54295->54296 54297 46eb8a 54295->54297 54299 403400 4 API calls 54296->54299 54298 403494 4 API calls 54297->54298 54300 46eb98 54298->54300 54299->54300 54301 455608 5 API calls 54300->54301 54302 46ebae 54301->54302 54303 455644 5 API calls 54302->54303 54304 46ebbc 54303->54304 54305 46eb34 5 API calls 54304->54305 54306 46ebd0 54305->54306 54307 45a2ac 4 API calls 54306->54307 54308 46ebe8 54307->54308 54309 403420 4 API calls 54308->54309 54310 46ec02 54309->54310 54311 403400 4 API calls 54310->54311 54312 46ec0a 54311->54312 54313 46ed68 54312->54313 54314 4034e0 4 API calls 54313->54314 54315 46eda5 54314->54315 54316 46edae 54315->54316 54709->54120 54710->54121 54721 44fba4 54718->54721 54722 44fbb5 54721->54722 54723 44fba1 54722->54723 54724 44fbdf MulDiv 54722->54724 54723->54286 54725 4181f0 54724->54725 54726 44fc0a SendMessageA 54725->54726 54726->54723 55834 431f60 55795->55834 55797 403400 4 API calls 55798 43daea 55797->55798 55798->53696 55798->53697 55799 43da66 55799->55797 55801 431c4a 55800->55801 55802 402648 4 API calls 55801->55802 55803 431c7a 55802->55803 55804 494ed0 55803->55804 55805 494fa5 55804->55805 55806 494eea 55804->55806 55811 494fe8 55805->55811 55806->55805 55808 433de0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55806->55808 55810 403450 4 API calls 55806->55810 55839 408c1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55806->55839 55840 431d14 55806->55840 55808->55806 55810->55806 55812 495004 55811->55812 55848 433de0 55812->55848 55814 495009 55815 431d14 4 API calls 55814->55815 55816 495014 55815->55816 55817 43d608 55816->55817 55818 43d635 55817->55818 55823 43d627 55817->55823 55818->53707 55819 43d6b1 55827 43d76b 55819->55827 55851 4470f8 55819->55851 55821 43d6fc 55857 43ddc4 55821->55857 55823->55818 55823->55819 55824 4470f8 4 API calls 55823->55824 55824->55823 55825 43d971 55825->55818 55877 447098 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55825->55877 55827->55825 55828 43d952 55827->55828 55875 447098 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55827->55875 55876 447098 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55828->55876 55831->53709 55832->53711 55833->53698 55835 403494 4 API calls 55834->55835 55837 431f6f 55835->55837 55836 431f99 55836->55799 55837->55836 55838 403744 4 API calls 55837->55838 55838->55837 55839->55806 55841 431d22 55840->55841 55842 431d34 55840->55842 55846 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55841->55846 55844 431d56 55842->55844 55847 431cb4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55842->55847 55844->55806 55846->55842 55847->55844 55849 402648 4 API calls 55848->55849 55850 433def 55849->55850 55850->55814 55852 447117 55851->55852 55853 44711e 55851->55853 55878 446ea4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55852->55878 55855 431d14 4 API calls 55853->55855 55856 44712e 55855->55856 55856->55821 55858 43dde0 55857->55858 55871 43de0d 55857->55871 55859 402660 4 API calls 55858->55859 55858->55871 55859->55858 55860 43de42 55860->55827 55862 43ff19 55862->55860 55883 447098 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55862->55883 55863 43c9ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55863->55871 55864 447098 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55864->55871 55866 433b8c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55866->55871 55870 433d8c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55870->55871 55871->55860 55871->55862 55871->55863 55871->55864 55871->55866 55871->55870 55872 4366c4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55871->55872 55873 431cb4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55871->55873 55874 446ea4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55871->55874 55879 436ec0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55871->55879 55880 439754 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55871->55880 55881 43dcbc 18 API calls 55871->55881 55882 433da8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55871->55882 55872->55871 55873->55871 55874->55871 55875->55827 55876->55825 55877->55825 55878->55853 55879->55871 55880->55871 55881->55871 55882->55871 55883->55862 55884 42f594 55885 42f5a3 NtdllDefWindowProc_A 55884->55885 55886 42f59f 55884->55886 55885->55886 55887 435954 55888 435969 55887->55888 55892 435983 55888->55892 55893 43533c 55888->55893 55898 435386 55893->55898 55904 43536c 55893->55904 55894 403400 4 API calls 55895 43578b 55894->55895 55895->55892 55906 43579c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55895->55906 55896 446e18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55896->55904 55897 402648 4 API calls 55897->55904 55898->55894 55900 431d14 4 API calls 55900->55904 55901 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55901->55904 55902 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55902->55904 55903 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55903->55904 55904->55896 55904->55897 55904->55898 55904->55900 55904->55901 55904->55902 55904->55903 55907 434424 55904->55907 55919 434be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55904->55919 55906->55892 55908 4344e1 55907->55908 55909 434451 55907->55909 55938 434384 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55908->55938 55910 403494 4 API calls 55909->55910 55912 43445f 55910->55912 55915 403778 4 API calls 55912->55915 55913 4344d3 55914 403400 4 API calls 55913->55914 55916 434531 55914->55916 55917 434480 55915->55917 55916->55904 55917->55913 55920 49501c 55917->55920 55919->55904 55921 4950ec 55920->55921 55922 495054 55920->55922 55939 4489a4 55921->55939 55923 403494 4 API calls 55922->55923 55927 49505f 55923->55927 55925 49506f 55926 403400 4 API calls 55925->55926 55928 495110 55926->55928 55927->55925 55930 4037b8 4 API calls 55927->55930 55929 403400 4 API calls 55928->55929 55931 495118 55929->55931 55932 495088 55930->55932 55931->55917 55932->55925 55933 4037b8 4 API calls 55932->55933 55934 4950ab 55933->55934 55935 403778 4 API calls 55934->55935 55936 4950dc 55935->55936 55937 403634 4 API calls 55936->55937 55937->55921 55938->55913 55940 4489c9 55939->55940 55950 448a0c 55939->55950 55941 403494 4 API calls 55940->55941 55943 4489d4 55941->55943 55942 448a20 55945 403400 4 API calls 55942->55945 55947 4037b8 4 API calls 55943->55947 55946 448a53 55945->55946 55946->55925 55948 4489f0 55947->55948 55949 4037b8 4 API calls 55948->55949 55949->55950 55950->55942 55951 4485a0 55950->55951 55952 403494 4 API calls 55951->55952 55953 4485d6 55952->55953 55954 4037b8 4 API calls 55953->55954 55955 4485e8 55954->55955 55956 403778 4 API calls 55955->55956 55957 448609 55956->55957 55958 4037b8 4 API calls 55957->55958 55959 448621 55958->55959 55960 403778 4 API calls 55959->55960 55961 44864c 55960->55961 55962 4037b8 4 API calls 55961->55962 55973 448664 55962->55973 55963 44869c 55965 403420 4 API calls 55963->55965 55964 448737 55968 44873f GetProcAddress 55964->55968 55969 44877c 55965->55969 55966 4486bf LoadLibraryExA 55966->55973 55967 4486d1 LoadLibraryA 55967->55973 55970 448752 55968->55970 55969->55942 55970->55963 55971 403b80 4 API calls 55971->55973 55972 403450 4 API calls 55972->55973 55973->55963 55973->55964 55973->55966 55973->55967 55973->55971 55973->55972 55975 43dafc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55973->55975 55975->55973 55976 44b51c 55977 44b52a 55976->55977 55979 44b549 55976->55979 55978 44b400 11 API calls 55977->55978 55977->55979 55978->55979 55980 44879c 55981 4487d1 55980->55981 55988 4487ca 55980->55988 55984 4485a0 7 API calls 55981->55984 55986 4487e5 55981->55986 55982 403494 4 API calls 55987 4487fe 55982->55987 55983 403400 4 API calls 55985 44897b 55983->55985 55984->55986 55986->55982 55986->55988 55989 4037b8 4 API calls 55987->55989 55988->55983 55990 44881a 55989->55990 55991 4037b8 4 API calls 55990->55991 55992 448836 55991->55992 55992->55988 55993 44884a 55992->55993 55994 4037b8 4 API calls 55993->55994 55995 448864 55994->55995 55996 431c44 4 API calls 55995->55996 55997 448886 55996->55997 55998 431d14 4 API calls 55997->55998 56003 4488a6 55997->56003 55998->55997 55999 4488fc 56012 4423a8 55999->56012 56001 4488e4 56001->55999 56024 443644 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56001->56024 56003->56001 56023 443644 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56003->56023 56005 448930 GetLastError 56025 448534 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56005->56025 56007 44893f 56026 443684 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56007->56026 56009 448954 56027 443694 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56009->56027 56011 44895c 56013 443386 56012->56013 56014 4423e1 56012->56014 56016 403400 4 API calls 56013->56016 56015 403400 4 API calls 56014->56015 56017 4423e9 56015->56017 56018 44339b 56016->56018 56019 431c44 4 API calls 56017->56019 56018->56005 56021 4423f5 56019->56021 56020 443376 56020->56005 56021->56020 56028 441a80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56021->56028 56023->56003 56024->55999 56025->56007 56026->56009 56027->56011 56028->56021 56029 492dec 56030 492e20 56029->56030 56031 492e22 56030->56031 56032 492e36 56030->56032 56165 447010 18 API calls 56031->56165 56036 492e72 56032->56036 56037 492e45 56032->56037 56034 492e2b Sleep 56035 492e6d 56034->56035 56038 403420 4 API calls 56035->56038 56042 492eae 56036->56042 56043 492e81 56036->56043 56039 44706c 18 API calls 56037->56039 56040 4932e0 56038->56040 56041 492e54 56039->56041 56045 492e5c FindWindowA 56041->56045 56048 492ebd 56042->56048 56049 492f04 56042->56049 56044 44706c 18 API calls 56043->56044 56046 492e8e 56044->56046 56047 4472ec 5 API calls 56045->56047 56050 492e96 FindWindowA 56046->56050 56047->56035 56166 447010 18 API calls 56048->56166 56055 492f60 56049->56055 56056 492f13 56049->56056 56052 4472ec 5 API calls 56050->56052 56054 492ea9 56052->56054 56053 492ec9 56167 447010 18 API calls 56053->56167 56054->56035 56063 492fbc 56055->56063 56064 492f6f 56055->56064 56170 447010 18 API calls 56056->56170 56059 492ed6 56168 447010 18 API calls 56059->56168 56061 492f1f 56171 447010 18 API calls 56061->56171 56062 492ee3 56169 447010 18 API calls 56062->56169 56073 492fcb 56063->56073 56074 492ff6 56063->56074 56175 447010 18 API calls 56064->56175 56068 492f2c 56172 447010 18 API calls 56068->56172 56069 492eee SendMessageA 56072 4472ec 5 API calls 56069->56072 56070 492f7b 56176 447010 18 API calls 56070->56176 56072->56054 56078 44706c 18 API calls 56073->56078 56085 493005 56074->56085 56086 493044 56074->56086 56076 492f39 56173 447010 18 API calls 56076->56173 56081 492fd8 56078->56081 56079 492f88 56177 447010 18 API calls 56079->56177 56080 492f44 PostMessageA 56174 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56080->56174 56088 492fe0 RegisterClipboardFormatA 56081->56088 56084 492f95 56178 447010 18 API calls 56084->56178 56180 447010 18 API calls 56085->56180 56095 493098 56086->56095 56096 493053 56086->56096 56091 4472ec 5 API calls 56088->56091 56090 493011 56181 447010 18 API calls 56090->56181 56091->56035 56092 492fa0 SendNotifyMessageA 56179 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56092->56179 56102 4930ec 56095->56102 56103 4930a7 56095->56103 56183 447010 18 API calls 56096->56183 56097 49301e 56182 447010 18 API calls 56097->56182 56100 49305f 56184 447010 18 API calls 56100->56184 56101 493029 SendMessageA 56105 4472ec 5 API calls 56101->56105 56111 4930fb 56102->56111 56112 49314e 56102->56112 56187 447010 18 API calls 56103->56187 56105->56054 56107 49306c 56185 447010 18 API calls 56107->56185 56109 4930b3 56188 447010 18 API calls 56109->56188 56110 493077 PostMessageA 56186 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56110->56186 56115 44706c 18 API calls 56111->56115 56119 49315d 56112->56119 56120 4931d5 56112->56120 56117 493108 56115->56117 56116 4930c0 56189 447010 18 API calls 56116->56189 56121 42e3a4 2 API calls 56117->56121 56123 44706c 18 API calls 56119->56123 56130 49320a 56120->56130 56131 4931e4 56120->56131 56124 493115 56121->56124 56122 4930cb SendNotifyMessageA 56190 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56122->56190 56126 49316c 56123->56126 56127 49312b GetLastError 56124->56127 56128 49311b 56124->56128 56191 447010 18 API calls 56126->56191 56132 4472ec 5 API calls 56127->56132 56129 4472ec 5 API calls 56128->56129 56133 493129 56129->56133 56138 493219 56130->56138 56139 49323c 56130->56139 56196 447010 18 API calls 56131->56196 56132->56133 56137 4472ec 5 API calls 56133->56137 56136 4931ee FreeLibrary 56197 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56136->56197 56137->56035 56142 44706c 18 API calls 56138->56142 56148 49324b 56139->56148 56154 49327f 56139->56154 56140 49317f GetProcAddress 56143 49318b 56140->56143 56144 4931c5 56140->56144 56145 493225 56142->56145 56192 447010 18 API calls 56143->56192 56195 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56144->56195 56150 49322d CreateMutexA 56145->56150 56198 48d220 18 API calls 56148->56198 56149 493197 56193 447010 18 API calls 56149->56193 56150->56035 56153 4931a4 56157 4472ec 5 API calls 56153->56157 56154->56035 56200 48d220 18 API calls 56154->56200 56156 493257 56158 493268 OemToCharBuffA 56156->56158 56159 4931b5 56157->56159 56199 48d238 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56158->56199 56194 447144 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56159->56194 56162 49329a 56163 4932ab CharToOemBuffA 56162->56163 56201 48d238 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56163->56201 56165->56034 56166->56053 56167->56059 56168->56062 56169->56069 56170->56061 56171->56068 56172->56076 56173->56080 56174->56054 56175->56070 56176->56079 56177->56084 56178->56092 56179->56035 56180->56090 56181->56097 56182->56101 56183->56100 56184->56107 56185->56110 56186->56054 56187->56109 56188->56116 56189->56122 56190->56035 56191->56140 56192->56149 56193->56153 56194->56054 56195->56054 56196->56136 56197->56035 56198->56156 56199->56035 56200->56162 56201->56035 56202 41ee64 56203 41ee73 IsWindowVisible 56202->56203 56204 41eea9 56202->56204 56203->56204 56205 41ee7d IsWindowEnabled 56203->56205 56205->56204 56206 41ee87 56205->56206 56207 402648 4 API calls 56206->56207 56208 41ee91 EnableWindow 56207->56208 56208->56204 56209 41fb68 56210 41fb71 56209->56210 56213 41fe0c 56210->56213 56212 41fb7e 56214 41fefe 56213->56214 56215 41fe23 56213->56215 56214->56212 56215->56214 56234 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 56215->56234 56217 41fe59 56218 41fe83 56217->56218 56219 41fe5d 56217->56219 56244 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 56218->56244 56235 41fbac 56219->56235 56222 41fe91 56224 41fe95 56222->56224 56225 41febb 56222->56225 56228 41fbac 10 API calls 56224->56228 56229 41fbac 10 API calls 56225->56229 56226 41fbac 10 API calls 56227 41fe81 56226->56227 56227->56212 56230 41fea7 56228->56230 56231 41fecd 56229->56231 56232 41fbac 10 API calls 56230->56232 56233 41fbac 10 API calls 56231->56233 56232->56227 56233->56227 56234->56217 56236 41fbc7 56235->56236 56237 41fbdd 56236->56237 56238 41f94c 4 API calls 56236->56238 56245 41f94c 56237->56245 56238->56237 56240 41fc25 56241 41fc48 SetScrollInfo 56240->56241 56253 41faac 56241->56253 56244->56222 56246 4181f0 56245->56246 56247 41f969 GetWindowLongA 56246->56247 56248 41f9a6 56247->56248 56249 41f986 56247->56249 56265 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 56248->56265 56264 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 56249->56264 56252 41f992 56252->56240 56254 41faba 56253->56254 56255 41fac2 56253->56255 56254->56226 56256 41fb01 56255->56256 56257 41faf1 56255->56257 56263 41faff 56255->56263 56267 417e58 IsWindowVisible ScrollWindow SetWindowPos 56256->56267 56266 417e58 IsWindowVisible ScrollWindow SetWindowPos 56257->56266 56260 41fb41 GetScrollPos 56260->56254 56261 41fb4c 56260->56261 56262 41fb5b SetScrollPos 56261->56262 56262->56254 56263->56260 56264->56252 56265->56252 56266->56263 56267->56263 56268 4205a8 56269 4205bb 56268->56269 56289 415b40 56269->56289 56271 420702 56272 420719 56271->56272 56296 4146e4 KiUserCallbackDispatcher 56271->56296 56274 420730 56272->56274 56297 414728 KiUserCallbackDispatcher 56272->56297 56279 420752 56274->56279 56298 420070 12 API calls 56274->56298 56275 420661 56294 420858 20 API calls 56275->56294 56276 4205f6 56276->56271 56276->56275 56282 420652 MulDiv 56276->56282 56280 42067a 56280->56271 56295 420070 12 API calls 56280->56295 56293 41a314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 56282->56293 56285 420697 56286 4206b3 MulDiv 56285->56286 56287 4206d6 56285->56287 56286->56287 56287->56271 56288 4206df MulDiv 56287->56288 56288->56271 56290 415b52 56289->56290 56299 414480 56290->56299 56292 415b6a 56292->56276 56293->56275 56294->56280 56295->56285 56296->56272 56297->56274 56298->56279 56300 41449a 56299->56300 56303 410468 56300->56303 56302 4144b0 56302->56292 56306 40dcb4 56303->56306 56305 41046e 56305->56302 56307 40dd16 56306->56307 56308 40dcc7 56306->56308 56313 40dd24 56307->56313 56311 40dd24 19 API calls 56308->56311 56312 40dcf1 56311->56312 56312->56305 56314 40dd34 56313->56314 56316 40dd4a 56314->56316 56325 40e0ac 56314->56325 56341 40d5f0 56314->56341 56344 40df5c 56316->56344 56319 40d5f0 5 API calls 56320 40dd52 56319->56320 56320->56319 56321 40ddbe 56320->56321 56347 40db70 56320->56347 56323 40df5c 5 API calls 56321->56323 56324 40dd20 56323->56324 56324->56305 56326 40e97c 5 API calls 56325->56326 56328 40e0e7 56326->56328 56327 403778 4 API calls 56327->56328 56328->56327 56329 40e19d 56328->56329 56414 40d784 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56328->56414 56415 40e090 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56328->56415 56330 40e1c7 56329->56330 56331 40e1b8 56329->56331 56411 40ba34 56330->56411 56361 40e3d0 56331->56361 56336 40e1c5 56338 403400 4 API calls 56336->56338 56339 40e26c 56338->56339 56339->56314 56342 40ea18 5 API calls 56341->56342 56343 40d5fa 56342->56343 56343->56314 56448 40d4cc 56344->56448 56348 40df64 5 API calls 56347->56348 56349 40dba3 56348->56349 56350 40e97c 5 API calls 56349->56350 56351 40dbae 56350->56351 56352 40e97c 5 API calls 56351->56352 56353 40dbb9 56352->56353 56354 40dbd4 56353->56354 56355 40dbcb 56353->56355 56360 40dbd1 56353->56360 56457 40d9e8 56354->56457 56460 40dad8 19 API calls 56355->56460 56358 403420 4 API calls 56359 40dc9f 56358->56359 56359->56320 56360->56358 56362 40e406 56361->56362 56363 40e3fc 56361->56363 56365 40e521 56362->56365 56366 40e4a5 56362->56366 56367 40e506 56362->56367 56368 40e586 56362->56368 56369 40e448 56362->56369 56370 40e4e9 56362->56370 56371 40e479 56362->56371 56372 40e4cb 56362->56372 56404 40e46c 56362->56404 56417 40d450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56363->56417 56373 40d774 5 API calls 56365->56373 56425 40de34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56366->56425 56430 40e8a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56367->56430 56379 40d774 5 API calls 56368->56379 56418 40d774 56369->56418 56428 40e9b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56370->56428 56371->56404 56424 40d828 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56371->56424 56427 40ddf4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56372->56427 56382 40e529 56373->56382 56375 403400 4 API calls 56383 40e5fb 56375->56383 56386 40e58e 56379->56386 56388 40e533 56382->56388 56398 40e52d 56382->56398 56383->56336 56384 40e4f4 56429 409d48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56384->56429 56385 40e4b0 56426 40d480 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56385->56426 56391 40e592 56386->56391 56392 40e5ab 56386->56392 56431 40ea18 56388->56431 56400 40ea18 5 API calls 56391->56400 56437 40de34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56392->56437 56393 40e471 56423 40dee8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56393->56423 56394 40e454 56421 40de34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56394->56421 56402 40e531 56398->56402 56403 40ea18 5 API calls 56398->56403 56400->56404 56401 40e45f 56422 40e27c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56401->56422 56402->56404 56435 40de34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56402->56435 56407 40e554 56403->56407 56404->56375 56434 40d8b0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56407->56434 56408 40e576 56436 40e2e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56408->56436 56443 40b9e0 56411->56443 56414->56328 56415->56328 56416 40d784 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56416->56336 56417->56362 56419 40ea18 5 API calls 56418->56419 56420 40d77e 56419->56420 56420->56393 56420->56394 56421->56401 56422->56404 56423->56371 56424->56404 56425->56385 56426->56404 56427->56404 56428->56384 56429->56404 56430->56404 56438 40d790 56431->56438 56434->56402 56435->56408 56436->56404 56437->56404 56440 40d79b 56438->56440 56439 40d7d5 56439->56404 56440->56439 56442 40d7dc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56440->56442 56442->56440 56444 40b9f2 56443->56444 56446 40ba17 56443->56446 56444->56446 56447 40ba94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56444->56447 56446->56336 56446->56416 56447->56446 56449 40ea18 5 API calls 56448->56449 56450 40d4d9 56449->56450 56451 40d4ec 56450->56451 56455 40eb1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56450->56455 56451->56320 56453 40d4e7 56456 40d468 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56453->56456 56455->56453 56456->56451 56461 40ab8c 19 API calls 56457->56461 56459 40da10 56459->56360 56460->56360 56461->56459 56462 480de4 56463 451078 5 API calls 56462->56463 56464 480df8 56463->56464 56465 47fe90 21 API calls 56464->56465 56466 480e1c 56465->56466 56467 480e7e 56468 480e87 56467->56468 56469 480eb1 56468->56469 56470 480e93 56468->56470 56845 47f7c0 24 API calls 56469->56845 56471 480ea8 56470->56471 56843 47f990 43 API calls 56470->56843 56844 47f7c0 24 API calls 56471->56844 56475 480eaf 56476 480ede 56475->56476 56477 480eec 56475->56477 56846 47708c 188 API calls 56476->56846 56479 480f2b 56477->56479 56848 47f928 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56477->56848 56478 480f4f 56485 480f61 56478->56485 56486 480f67 56478->56486 56479->56478 56482 480f42 56479->56482 56483 480f44 56479->56483 56493 47f96c 43 API calls 56482->56493 56850 47fa00 43 API calls 56483->56850 56484 480ee3 56484->56477 56847 408bf0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56484->56847 56489 480f65 56485->56489 56495 47f96c 43 API calls 56485->56495 56486->56489 56494 47f96c 43 API calls 56486->56494 56487 480f1e 56849 47f990 43 API calls 56487->56849 56602 47caf0 56489->56602 56493->56478 56494->56489 56495->56489 56496 480f8e 56676 47d018 56496->56676 56603 42d8a8 GetWindowsDirectoryA 56602->56603 56604 47cb14 56603->56604 56605 403450 4 API calls 56604->56605 56606 47cb21 56605->56606 56607 42d8d4 GetSystemDirectoryA 56606->56607 56608 47cb29 56607->56608 56609 403450 4 API calls 56608->56609 56610 47cb36 56609->56610 56611 42d900 6 API calls 56610->56611 56612 47cb3e 56611->56612 56613 403450 4 API calls 56612->56613 56614 47cb4b 56613->56614 56615 47cb54 56614->56615 56616 47cb70 56614->56616 56884 42d218 56615->56884 56617 403400 4 API calls 56616->56617 56619 47cb6e 56617->56619 56622 47cbb5 56619->56622 56623 42c8dc 5 API calls 56619->56623 56621 403450 4 API calls 56621->56619 56864 47c978 56622->56864 56625 47cb90 56623->56625 56627 403450 4 API calls 56625->56627 56630 47cb9d 56627->56630 56628 403450 4 API calls 56629 47cbd1 56628->56629 56631 47cbef 56629->56631 56632 4035c0 4 API calls 56629->56632 56630->56622 56634 403450 4 API calls 56630->56634 56633 47c978 8 API calls 56631->56633 56632->56631 56635 47cbfe 56633->56635 56634->56622 56636 403450 4 API calls 56635->56636 56637 47cc0b 56636->56637 56638 47cc33 56637->56638 56639 42c40c 5 API calls 56637->56639 56640 47cc9a 56638->56640 56643 47c978 8 API calls 56638->56643 56641 47cc21 56639->56641 56642 47cd62 56640->56642 56647 47ccba SHGetKnownFolderPath 56640->56647 56646 4035c0 4 API calls 56641->56646 56644 47cd8c 56642->56644 56645 47cd6b 56642->56645 56648 47cc4b 56643->56648 56651 42c40c 5 API calls 56644->56651 56650 42c40c 5 API calls 56645->56650 56646->56638 56652 47ccd4 56647->56652 56653 47cd0f SHGetKnownFolderPath 56647->56653 56649 403450 4 API calls 56648->56649 56654 47cc58 56649->56654 56656 47cd78 56650->56656 56657 47cd99 56651->56657 56894 403ba4 7 API calls 56652->56894 56653->56642 56655 47cd29 56653->56655 56660 47cc6b 56654->56660 56892 4533b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56654->56892 56895 403ba4 7 API calls 56655->56895 56662 4035c0 4 API calls 56656->56662 56663 4035c0 4 API calls 56657->56663 56659 47ccef CoTaskMemFree 56659->56496 56666 47c978 8 API calls 56660->56666 56667 47cd8a 56662->56667 56663->56667 56665 47cd44 CoTaskMemFree 56665->56496 56669 47cc7a 56666->56669 56875 47ca5c 56667->56875 56671 403450 4 API calls 56669->56671 56673 47cc87 56671->56673 56672 403400 4 API calls 56674 47cdc5 56672->56674 56673->56640 56893 4533b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56673->56893 56674->56496 56677 47d020 56676->56677 56677->56677 56897 453a98 56677->56897 56680 403450 4 API calls 56681 47d04d 56680->56681 56682 403494 4 API calls 56681->56682 56683 47d05a 56682->56683 56684 40357c 4 API calls 56683->56684 56685 47d068 56684->56685 56686 457db8 24 API calls 56685->56686 56687 47d070 56686->56687 56688 47d083 56687->56688 56927 4575b0 6 API calls 56687->56927 56690 42c40c 5 API calls 56688->56690 56691 47d090 56690->56691 56692 4035c0 4 API calls 56691->56692 56693 47d0a0 56692->56693 56694 47d0aa CreateDirectoryA 56693->56694 56695 47d0b4 GetLastError 56694->56695 56717 47d110 56694->56717 56696 4514cc 4 API calls 56695->56696 56698 47d0cc 56696->56698 56928 406d78 19 API calls 56698->56928 56699 47d11d 56701 47d146 56699->56701 56702 4035c0 4 API calls 56699->56702 56704 403420 4 API calls 56701->56704 56705 47d133 56702->56705 56703 47d0dc 56706 42e8d8 5 API calls 56703->56706 56707 47d160 56704->56707 56922 47cfc0 56705->56922 56709 47d0ec 56706->56709 56710 403420 4 API calls 56707->56710 56712 45149c 4 API calls 56709->56712 56715 47d101 56712->56715 56929 408c1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56715->56929 56915 4584b8 56717->56915 56843->56471 56844->56475 56845->56475 56846->56484 56848->56487 56849->56479 56850->56478 56865 42de2c RegOpenKeyExA 56864->56865 56866 47c99e 56865->56866 56867 47c9c4 56866->56867 56868 47c9a2 56866->56868 56870 403400 4 API calls 56867->56870 56869 42dd5c 6 API calls 56868->56869 56871 47c9ae 56869->56871 56872 47c9cb 56870->56872 56873 47c9b9 RegCloseKey 56871->56873 56874 403400 4 API calls 56871->56874 56872->56628 56873->56872 56874->56873 56876 47ca6a 56875->56876 56877 42de2c RegOpenKeyExA 56876->56877 56878 47ca92 56877->56878 56879 47cac3 56878->56879 56880 42dd5c 6 API calls 56878->56880 56879->56672 56881 47caa8 56880->56881 56882 42dd5c 6 API calls 56881->56882 56883 47caba RegCloseKey 56882->56883 56883->56879 56885 4038a4 4 API calls 56884->56885 56886 42d22b 56885->56886 56887 42d242 GetEnvironmentVariableA 56886->56887 56891 42d255 56886->56891 56896 42dbe0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56886->56896 56887->56886 56888 42d24e 56887->56888 56889 403400 4 API calls 56888->56889 56889->56891 56891->56621 56892->56660 56893->56640 56894->56659 56895->56665 56896->56886 56904 453ab8 56897->56904 56899 453824 11 API calls 56899->56904 56900 453add CreateDirectoryA 56901 453b55 56900->56901 56902 453ae7 GetLastError 56900->56902 56903 403494 4 API calls 56901->56903 56902->56904 56905 453b5f 56903->56905 56904->56899 56904->56900 56906 4514cc 4 API calls 56904->56906 56912 42e8d8 5 API calls 56904->56912 56913 45149c 4 API calls 56904->56913 56931 42da28 56904->56931 56954 406d78 19 API calls 56904->56954 56955 408c1c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56904->56955 56907 403420 4 API calls 56905->56907 56906->56904 56908 453b79 56907->56908 56910 403420 4 API calls 56908->56910 56911 453b86 56910->56911 56911->56680 56912->56904 56913->56904 56916 4584c4 56915->56916 56917 4584d2 56915->56917 56918 403494 4 API calls 56916->56918 56919 403400 4 API calls 56917->56919 56920 4584d0 56918->56920 56921 4584d9 56919->56921 56920->56699 56921->56699 56923 40cf5c 23 API calls 56922->56923 56927->56688 56928->56703 56929->56717 56932 42d218 5 API calls 56931->56932 56933 42da4e 56932->56933 56934 42da5a 56933->56934 56935 42cd58 7 API calls 56933->56935 56936 42d218 5 API calls 56934->56936 56938 42daa6 56934->56938 56935->56934 56937 42da6a 56936->56937 56939 42da76 56937->56939 56941 42cd58 7 API calls 56937->56941 56940 42c814 5 API calls 56938->56940 56939->56938 56942 42da9b 56939->56942 56945 42d218 5 API calls 56939->56945 56944 42dab0 56940->56944 56941->56939 56942->56938 56943 42d8a8 GetWindowsDirectoryA 56942->56943 56943->56938 56946 42c40c 5 API calls 56944->56946 56947 42da8f 56945->56947 56948 42dabb 56946->56948 56947->56942 56950 42cd58 7 API calls 56947->56950 56949 403494 4 API calls 56948->56949 56951 42dac5 56949->56951 56950->56942 56952 403420 4 API calls 56951->56952 56953 42dadf 56952->56953 56953->56904 56954->56904 56955->56904 58373 4222f4 58374 422303 58373->58374 58379 421284 58374->58379 58377 422323 58380 4212f3 58379->58380 58382 421293 58379->58382 58384 421304 58380->58384 58404 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 58380->58404 58382->58380 58403 408d3c 19 API calls 58382->58403 58383 421332 58386 42134d 58383->58386 58387 4213a5 58383->58387 58384->58383 58385 4213ca 58384->58385 58389 4213de SetMenu 58385->58389 58401 4213a3 58385->58401 58396 421370 GetMenu 58386->58396 58386->58401 58393 4213b9 58387->58393 58387->58401 58388 4213f6 58407 4211cc 10 API calls 58388->58407 58389->58401 58392 4213fd 58392->58377 58402 4221f8 10 API calls 58392->58402 58395 4213c2 SetMenu 58393->58395 58395->58401 58397 421393 58396->58397 58398 42137a 58396->58398 58405 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 58397->58405 58400 42138d SetMenu 58398->58400 58400->58397 58401->58388 58406 421e3c 11 API calls 58401->58406 58402->58377 58403->58382 58404->58384 58405->58401 58406->58388 58407->58392 58408 46e6bc 58409 46e6c7 58408->58409 58412 46e514 58409->58412 58413 46e53d 58412->58413 58414 46e55a 58413->58414 58415 44fba4 2 API calls 58413->58415 58422 46e26c 58414->58422 58415->58414 58417 46e5e9 58420 46e59f 58420->58417 58426 4953c4 18 API calls 58420->58426 58423 46e1e4 2 API calls 58422->58423 58424 46e27a 58423->58424 58424->58417 58425 495368 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58424->58425 58425->58420 58426->58417 58427 4165fc DestroyWindow 58428 42e3ff SetErrorMode

                                                                                                              Executed Functions

                                                                                                              Function 004708A0 Relevance: 79.7, APIs: 4, Strings: 41, Instructions: 962COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Dest filename: %s, xrefs: 00470A8C
                                                                                                              • Existing file is a newer version. Skipping., xrefs: 00470DFA
                                                                                                              • @, xrefs: 004709A8
                                                                                                              • Skipping due to "onlyifdestfileexists" flag., xrefs: 004710F2
                                                                                                              • Skipping due to "onlyifdoesntexist" flag., xrefs: 00470BC6
                                                                                                              • Dest file exists., xrefs: 00470BB3
                                                                                                              • Dest file is protected by Windows File Protection., xrefs: 00470AE5
                                                                                                              • Version of our file: %u.%u.%u.%u, xrefs: 00470CE8
                                                                                                              • Time stamp of existing file: %s, xrefs: 00470C23
                                                                                                              • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470EAD
                                                                                                              • Stripped read-only attribute., xrefs: 004710BF
                                                                                                              • Failed to strip read-only attribute., xrefs: 004710CB
                                                                                                              • Hl, xrefs: 0047093E
                                                                                                              • Version of our file: (none), xrefs: 00470CF4
                                                                                                              • User opted not to overwrite the existing file. Skipping., xrefs: 00471045
                                                                                                              • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0047108E
                                                                                                              • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470FE4
                                                                                                              • Installing the file., xrefs: 00471101
                                                                                                              • Time stamp of existing file: (failed to read), xrefs: 00470C2F
                                                                                                              • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470EBC
                                                                                                              • .tmp, xrefs: 004711AF
                                                                                                              • Incrementing shared file count (64-bit)., xrefs: 00471784
                                                                                                              • Will register the file (a DLL/OCX) later., xrefs: 00471717
                                                                                                              • Incrementing shared file count (32-bit)., xrefs: 0047179D
                                                                                                              • Installing into GAC, xrefs: 0047190C
                                                                                                              • Will register the file (a type library) later., xrefs: 0047170B
                                                                                                              • Couldn't read time stamp. Skipping., xrefs: 00470F2D
                                                                                                              • Non-default bitness: 32-bit, xrefs: 00470AB3
                                                                                                              • Version of existing file: (none), xrefs: 00470EF2
                                                                                                              • Existing file has a later time stamp. Skipping., xrefs: 00470FC7
                                                                                                              • InUn, xrefs: 00471357
                                                                                                              • Non-default bitness: 64-bit, xrefs: 00470AA7
                                                                                                              • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470EC8
                                                                                                              • Version of existing file: %u.%u.%u.%u, xrefs: 00470D74
                                                                                                              • , xrefs: 00470DC7, 00470F98, 00471016
                                                                                                              • Same version. Skipping., xrefs: 00470EDD
                                                                                                              • Time stamp of our file: (failed to read), xrefs: 00470B9F
                                                                                                              • Uninstaller requires administrator: %s, xrefs: 00471387
                                                                                                              • -- File entry --, xrefs: 004708F3
                                                                                                              • Time stamp of our file: %s, xrefs: 00470B93
                                                                                                              • Same time stamp. Skipping., xrefs: 00470F4D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$Hl$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                                              • API String ID: 0-1295931371
                                                                                                              • Opcode ID: 9f2865767024a930b7916cd63da71f425be50596fff11d1e8904fa8c666432a3
                                                                                                              • Instruction ID: 467263080efe338566352cc629e32221acf2e6aeb32e26e45aec936313cc1361
                                                                                                              • Opcode Fuzzy Hash: 9f2865767024a930b7916cd63da71f425be50596fff11d1e8904fa8c666432a3
                                                                                                              • Instruction Fuzzy Hash: AA927434A04288DFDB11DFA9C445BDDBBB4AF05304F1480ABE848BB392D7789E49DB59
                                                                                                              Function 0042E0AC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1578 42e0ac-42e0bd 1579 42e0c8-42e0ed AllocateAndInitializeSid 1578->1579 1580 42e0bf-42e0c3 1578->1580 1581 42e297-42e29f 1579->1581 1582 42e0f3-42e110 GetVersion 1579->1582 1580->1581 1583 42e112-42e127 GetModuleHandleA GetProcAddress 1582->1583 1584 42e129-42e12b 1582->1584 1583->1584 1585 42e152-42e16c GetCurrentThread OpenThreadToken 1584->1585 1586 42e12d-42e13b CheckTokenMembership 1584->1586 1589 42e1a3-42e1cb GetTokenInformation 1585->1589 1590 42e16e-42e178 GetLastError 1585->1590 1587 42e141-42e14d 1586->1587 1588 42e279-42e28f FreeSid 1586->1588 1587->1588 1593 42e1e6-42e20a call 402648 GetTokenInformation 1589->1593 1594 42e1cd-42e1d5 GetLastError 1589->1594 1591 42e184-42e197 GetCurrentProcess OpenProcessToken 1590->1591 1592 42e17a-42e17f call 4031bc 1590->1592 1591->1589 1597 42e199-42e19e call 4031bc 1591->1597 1592->1581 1604 42e218-42e220 1593->1604 1605 42e20c-42e216 call 4031bc * 2 1593->1605 1594->1593 1598 42e1d7-42e1e1 call 4031bc * 2 1594->1598 1597->1581 1598->1581 1609 42e222-42e223 1604->1609 1610 42e253-42e271 call 402660 CloseHandle 1604->1610 1605->1581 1614 42e225-42e238 EqualSid 1609->1614 1617 42e23a-42e247 1614->1617 1618 42e24f-42e251 1614->1618 1617->1618 1620 42e249-42e24d 1617->1620 1618->1610 1618->1614 1620->1610
                                                                                                              APIs
                                                                                                              • AllocateAndInitializeSid.ADVAPI32(0049A788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0E6
                                                                                                              • GetVersion.KERNEL32(00000000,0042E290,?,0049A788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E103
                                                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E290,?,0049A788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E11C
                                                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E122
                                                                                                              • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E290,?,0049A788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E137
                                                                                                              • FreeSid.ADVAPI32(00000000,0042E297,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E28A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                                              • String ID: CheckTokenMembership$advapi32.dll
                                                                                                              • API String ID: 2252812187-1888249752
                                                                                                              • Opcode ID: 7c80af42b102e27edf5db655613db814b4685419315c422c8b7ce9c7c8cae370
                                                                                                              • Instruction ID: b767a2b0357b006b48fec58faac565969e4e2695d2e87526588baf6f991b03ff
                                                                                                              • Opcode Fuzzy Hash: 7c80af42b102e27edf5db655613db814b4685419315c422c8b7ce9c7c8cae370
                                                                                                              • Instruction Fuzzy Hash: 99518371B44615EEEB10EAE6A842B7F7BACDB09304F9404BBB501F7282D5789904867D
                                                                                                              Function 00450334 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1642 450334-450341 1643 450347-450354 GetVersion 1642->1643 1644 4503f0-4503fa 1642->1644 1643->1644 1645 45035a-450370 LoadLibraryA 1643->1645 1645->1644 1646 450372-4503eb GetProcAddress * 6 1645->1646 1646->1644
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32(00480FD9), ref: 00450347
                                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480FD9), ref: 0045035F
                                                                                                              • GetProcAddress.KERNEL32(6E3B0000,RmStartSession), ref: 0045037D
                                                                                                              • GetProcAddress.KERNEL32(6E3B0000,RmRegisterResources), ref: 00450392
                                                                                                              • GetProcAddress.KERNEL32(6E3B0000,RmGetList), ref: 004503A7
                                                                                                              • GetProcAddress.KERNEL32(6E3B0000,RmShutdown), ref: 004503BC
                                                                                                              • GetProcAddress.KERNEL32(6E3B0000,RmRestart), ref: 004503D1
                                                                                                              • GetProcAddress.KERNEL32(6E3B0000,RmEndSession), ref: 004503E6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoadVersion
                                                                                                              • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                                              • API String ID: 1968650500-3419246398
                                                                                                              • Opcode ID: ba4799ed598e863f1006e140a948279c49c85d1dce31870895334632bea49e72
                                                                                                              • Instruction ID: 01977ea06872d8050a8028e1fd06f6bfd4923f5c9242ba3c4897223f9bd4e12c
                                                                                                              • Opcode Fuzzy Hash: ba4799ed598e863f1006e140a948279c49c85d1dce31870895334632bea49e72
                                                                                                              • Instruction Fuzzy Hash: 2711C9B4550200DBD710FB79ADC5A2A32E4E765717F58163BB940AB1A3C67C4848CF2C
                                                                                                              Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1790 423c1c-423c50 1791 423c52-423c53 1790->1791 1792 423c84-423c9b call 423b78 1790->1792 1793 423c55-423c71 call 40b25c 1791->1793 1798 423cfc-423d01 1792->1798 1799 423c9d 1792->1799 1823 423c73-423c7b 1793->1823 1824 423c80-423c82 1793->1824 1802 423d03 1798->1802 1803 423d37-423d3c 1798->1803 1800 423ca3-423ca6 1799->1800 1801 423d60-423d70 1799->1801 1804 423cd5-423cd8 1800->1804 1805 423ca8 1800->1805 1808 423d72-423d77 1801->1808 1809 423d7b-423d83 call 4241a4 1801->1809 1811 423fc1-423fc9 1802->1811 1812 423d09-423d11 1802->1812 1806 423d42-423d45 1803->1806 1807 4240aa-4240b8 IsIconic 1803->1807 1817 423db9-423dc0 1804->1817 1818 423cde-423cdf 1804->1818 1813 423e06-423e16 call 423b94 1805->1813 1814 423cae-423cb1 1805->1814 1815 4240e6-4240fb call 424860 1806->1815 1816 423d4b-423d4c 1806->1816 1819 424162-42416a 1807->1819 1826 4240be-4240c9 GetFocus 1807->1826 1821 423d88-423d90 call 4241ec 1808->1821 1822 423d79-423d9c call 423b94 1808->1822 1809->1819 1811->1819 1820 423fcf-423fda call 4181f0 1811->1820 1827 423f23-423f4a SendMessageA 1812->1827 1828 423d17-423d1c 1812->1828 1813->1819 1830 423cb7-423cba 1814->1830 1831 423e2e-423e4a PostMessageA call 423b94 1814->1831 1815->1819 1841 423d52-423d55 1816->1841 1842 4240fd-424104 1816->1842 1817->1819 1833 423dc6-423dcd 1817->1833 1834 423ce5-423ce8 1818->1834 1835 423f4f-423f56 1818->1835 1840 424181-424187 1819->1840 1820->1819 1875 423fe0-423fef call 4181f0 IsWindowEnabled 1820->1875 1821->1819 1822->1819 1823->1840 1824->1792 1824->1793 1826->1819 1829 4240cf-4240d8 call 41f004 1826->1829 1827->1819 1837 423d22-423d23 1828->1837 1838 42405a-424065 1828->1838 1829->1819 1886 4240de-4240e4 SetFocus 1829->1886 1849 423cc0-423cc3 1830->1849 1850 423eb5-423ebc 1830->1850 1831->1819 1833->1819 1854 423dd3-423dd9 1833->1854 1855 423cee-423cf1 1834->1855 1856 423e4f-423e6f call 423b94 1834->1856 1835->1819 1865 423f5c-423f61 call 404e54 1835->1865 1858 424082-42408d 1837->1858 1859 423d29-423d2c 1837->1859 1838->1819 1861 42406b-42407d 1838->1861 1862 424130-424137 1841->1862 1863 423d5b 1841->1863 1852 424106-424119 call 4244e4 1842->1852 1853 42411b-42412e call 42453c 1842->1853 1868 423cc9-423cca 1849->1868 1869 423dde-423dec IsIconic 1849->1869 1870 423ebe-423ed1 call 423b24 1850->1870 1871 423eef-423f00 call 423b94 1850->1871 1852->1819 1853->1819 1854->1819 1873 423cf7 1855->1873 1874 423e1b-423e29 call 424188 1855->1874 1904 423e93-423eb0 call 423a94 PostMessageA 1856->1904 1905 423e71-423e8e call 423b24 PostMessageA 1856->1905 1858->1819 1882 424093-4240a5 1858->1882 1879 423d32 1859->1879 1880 423f66-423f6e 1859->1880 1861->1819 1877 42414a-424159 1862->1877 1878 424139-424148 1862->1878 1881 42415b-42415c call 423b94 1863->1881 1865->1819 1887 423cd0 1868->1887 1888 423da1-423da9 1868->1888 1894 423dfa-423e01 call 423b94 1869->1894 1895 423dee-423df5 call 423bd0 1869->1895 1919 423ee3-423eea call 423b94 1870->1919 1920 423ed3-423edd call 41ef68 1870->1920 1924 423f02-423f08 call 41eeb4 1871->1924 1925 423f16-423f1e call 423a94 1871->1925 1873->1881 1874->1819 1875->1819 1921 423ff5-424004 call 4181f0 IsWindowVisible 1875->1921 1877->1819 1878->1819 1879->1881 1880->1819 1901 423f74-423f7b 1880->1901 1912 424161 1881->1912 1882->1819 1886->1819 1887->1881 1888->1819 1906 423daf-423db4 call 422c5c 1888->1906 1894->1819 1895->1819 1901->1819 1903 423f81-423f90 call 4181f0 IsWindowEnabled 1901->1903 1903->1819 1935 423f96-423fac call 412320 1903->1935 1904->1819 1905->1819 1906->1819 1912->1819 1919->1819 1920->1919 1921->1819 1942 42400a-424055 GetFocus call 4181f0 SetFocus call 415250 SetFocus 1921->1942 1939 423f0d-423f10 1924->1939 1925->1819 1935->1819 1945 423fb2-423fbc 1935->1945 1939->1925 1942->1819 1945->1819
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6031c6058a4147557a324cf51ffefd4fe9d2f91239d218d1be50ed81b108de41
                                                                                                              • Instruction ID: e16ee7298f114c8dbeebd16f5ebee6ca6ec91daf226906b03d032974817fe50e
                                                                                                              • Opcode Fuzzy Hash: 6031c6058a4147557a324cf51ffefd4fe9d2f91239d218d1be50ed81b108de41
                                                                                                              • Instruction Fuzzy Hash: 87E1A130700224DFD704EF59E989A6EB7F5EB94304F9480A6E545AB352C73CEE91DB08
                                                                                                              Function 0046744C Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1656windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00495FA4: GetWindowRect.USER32(00000000), ref: 00495FBA
                                                                                                              • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 0046781B
                                                                                                                • Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00467835), ref: 0041D6EB
                                                                                                                • Part of subcall function 00467228: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004672CB
                                                                                                                • Part of subcall function 00467228: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004672F1
                                                                                                                • Part of subcall function 00467228: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467348
                                                                                                                • Part of subcall function 00466BE8: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,004678D0,00000000,00000000,00000000,0000000C,00000000), ref: 00466C00
                                                                                                                • Part of subcall function 00496228: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00496232
                                                                                                                • Part of subcall function 0042ED48: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
                                                                                                                • Part of subcall function 0042ED48: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5
                                                                                                                • Part of subcall function 00495EF4: GetDC.USER32(00000000), ref: 00495F16
                                                                                                                • Part of subcall function 00495EF4: SelectObject.GDI32(?,00000000), ref: 00495F3C
                                                                                                                • Part of subcall function 00495EF4: ReleaseDC.USER32(00000000,?), ref: 00495F8D
                                                                                                                • Part of subcall function 00496218: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00496222
                                                                                                              • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0233F390,023410F0,?,?,02341120,?,?,02341170,?), ref: 004684BF
                                                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004684D0
                                                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004684E8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadProcRectReleaseSelectSystemUserWindow
                                                                                                              • String ID: $(Default)$STOPIMAGE
                                                                                                              • API String ID: 616467991-770201673
                                                                                                              • Opcode ID: 87bcb674c8b66ef52b6acd084ab0e16fc1d5b69bf8698de0b4974f4e12f6faa5
                                                                                                              • Instruction ID: 31ed69900cd485df966db968cea1a759f135fc149481760ad81ee09e41d161c5
                                                                                                              • Opcode Fuzzy Hash: 87bcb674c8b66ef52b6acd084ab0e16fc1d5b69bf8698de0b4974f4e12f6faa5
                                                                                                              • Instruction Fuzzy Hash: 5BF2C5786005209FCB00EB69D4D9F9973F1BF49304F1542BAE5049B36ADB78EC46CB9A
                                                                                                              Function 004753C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0047552E,?,?,0049D1E0,00000000), ref: 0047541D
                                                                                                              • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0047552E,?,?,0049D1E0,00000000), ref: 004754FA
                                                                                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0047552E,?,?,0049D1E0,00000000), ref: 00475508
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseFirstNext
                                                                                                              • String ID: unins$unins???.*
                                                                                                              • API String ID: 3541575487-1009660736
                                                                                                              • Opcode ID: 223772387e8f10f3c6a78500543930a556b145fa8c6e4b5ce699a46b4d94e286
                                                                                                              • Instruction ID: 94c2e66123b914be41fb9230d3e0bd96c7eed6bd52dd6cc9b7e2a75fa87f4789
                                                                                                              • Opcode Fuzzy Hash: 223772387e8f10f3c6a78500543930a556b145fa8c6e4b5ce699a46b4d94e286
                                                                                                              • Instruction Fuzzy Hash: 7D315370600558ABDB10EB69CD41BDEB7B9EF44304F5480B6A40CAB3A6DB78DF819B58
                                                                                                              Function 00452AD4 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00452B37,?,?,-00000001,00000000), ref: 00452B11
                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000,00452B37,?,?,-00000001,00000000), ref: 00452B19
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileFindFirstLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 873889042-0
                                                                                                              • Opcode ID: 62d728c2e18dd8ea61fe43d8693a083aa73a16905187bb3e16a058413067dfd1
                                                                                                              • Instruction ID: 47a0ca8b87b913a19c884f83f9383acd825b8acbe58efe6d1ea2a1073528362f
                                                                                                              • Opcode Fuzzy Hash: 62d728c2e18dd8ea61fe43d8693a083aa73a16905187bb3e16a058413067dfd1
                                                                                                              • Instruction Fuzzy Hash: 69F04931A00604AB8B10DF6A9D4189EF7ACEB4632171042BBFC14E3292DAB85E048558
                                                                                                              Function 0046E1E4 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32(00000367,0046E27A), ref: 0046E1EE
                                                                                                              • CoCreateInstance.OLE32(0049AB98,00000000,00000001,0049ABA8,?,00000367,0046E27A), ref: 0046E20A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateInstanceVersion
                                                                                                              • String ID:
                                                                                                              • API String ID: 1462612201-0
                                                                                                              • Opcode ID: a4af8d076fcecf17adfdc3d0480ff287c2d0b6366a88815b83ba2acce94f7983
                                                                                                              • Instruction ID: 2583b72e9ff3fb42948badd432de3b99868d7e942e7e47a623e6463d1fe0ae05
                                                                                                              • Opcode Fuzzy Hash: a4af8d076fcecf17adfdc3d0480ff287c2d0b6366a88815b83ba2acce94f7983
                                                                                                              • Instruction Fuzzy Hash: 58F0E5346412009EFB10E77AEC46B4A37CAAB21319F5004BBF144A7292E2ACE495870F
                                                                                                              Function 00408578 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049C4C0,00000001,?,00408643,?,00000000,00408722), ref: 00408596
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale
                                                                                                              • String ID:
                                                                                                              • API String ID: 2299586839-0
                                                                                                              • Opcode ID: eb14f04c5e02207c2fd5126442fac2e3d3ce4c3ff781734da4d02da34a9f601e
                                                                                                              • Instruction ID: 7c1c2e54cb9be6942265fc2fe4f8d610b96419e03c3bde54798e363261146e82
                                                                                                              • Opcode Fuzzy Hash: eb14f04c5e02207c2fd5126442fac2e3d3ce4c3ff781734da4d02da34a9f601e
                                                                                                              • Instruction Fuzzy Hash: D1E09271700614A6D311A95A9C86AEAB35C9B68314F00427FB944E73C6EDB89E4046E9
                                                                                                              Function 00423B94 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NtdllProc_Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 4255912815-0
                                                                                                              • Opcode ID: 1e03a0b95ee3ac50814388fded2f2c100431d5d137ce34ba8ee35217fcdc3973
                                                                                                              • Instruction ID: 626c949ff67c0b5daba62b8ffba664747ea83a29b03f4787c3cb7294a8149fcf
                                                                                                              • Opcode Fuzzy Hash: 1e03a0b95ee3ac50814388fded2f2c100431d5d137ce34ba8ee35217fcdc3973
                                                                                                              • Instruction Fuzzy Hash: 9CF0B379205608AF8B40DF99C588D4ABBE8AB4C260B058295B988CB321C234EE808F94
                                                                                                              Function 00455644 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NameUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2645101109-0
                                                                                                              • Opcode ID: b729cb2c5e6aed0314aaf1ae3f51ea3427620088d531228546b40ff94aa38a59
                                                                                                              • Instruction ID: 1d2ebe8de6f6cfe3948c3fff4a7e090af1b7aca458264ab6234f43f9cc1e19d2
                                                                                                              • Opcode Fuzzy Hash: b729cb2c5e6aed0314aaf1ae3f51ea3427620088d531228546b40ff94aa38a59
                                                                                                              • Instruction Fuzzy Hash: 94D0C2B130460063D700AA689C926AA368C8B84345F00483E3CC9DA2D3EABDDA48169A
                                                                                                              Function 0042F594 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F5B0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NtdllProc_Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 4255912815-0
                                                                                                              • Opcode ID: 0f3603468c344ce3f2e9376b2c090f409274960c84c57a5106e539cc1743996a
                                                                                                              • Instruction ID: 438f9cd868ded5fa8976115e55c89a445960fd054612ac8023f685210e8cb482
                                                                                                              • Opcode Fuzzy Hash: 0f3603468c344ce3f2e9376b2c090f409274960c84c57a5106e539cc1743996a
                                                                                                              • Instruction Fuzzy Hash: 52D09E7221010DBB9B00DE99D840D6B33AD9B88754B908925F545C7346D634ED619BB5
                                                                                                              Function 0046F250 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 844 46f250-46f282 845 46f284-46f28b 844->845 846 46f29f 844->846 847 46f296-46f29d 845->847 848 46f28d-46f294 845->848 849 46f2a6-46f2de call 403634 call 403738 call 42ded0 846->849 847->849 848->846 848->847 856 46f2e0-46f2f4 call 403738 call 42ded0 849->856 857 46f2f9-46f322 call 403738 call 42ddf4 849->857 856->857 865 46f324-46f32d call 46ef20 857->865 866 46f332-46f35b call 46f03c 857->866 865->866 870 46f36d-46f370 call 403400 866->870 871 46f35d-46f36b call 403494 866->871 875 46f375-46f3c0 call 46f03c call 42c40c call 46f084 call 46f03c 870->875 871->875 884 46f3d6-46f3f7 call 455644 call 46f03c 875->884 885 46f3c2-46f3d5 call 46f0ac 875->885 892 46f44d-46f454 884->892 893 46f3f9-46f44c call 46f03c call 431478 call 46f03c call 431478 call 46f03c 884->893 885->884 894 46f456-46f493 call 431478 call 46f03c call 431478 call 46f03c 892->894 895 46f494-46f49b 892->895 893->892 894->895 897 46f4dc-46f501 call 40b25c call 46f03c 895->897 898 46f49d-46f4db call 46f03c * 3 895->898 919 46f503-46f50e call 47c6f0 897->919 920 46f510-46f519 call 403494 897->920 898->897 927 46f51e-46f529 call 479240 919->927 920->927 934 46f532 927->934 935 46f52b-46f530 927->935 936 46f537-46f701 call 403778 call 46f03c call 47c6f0 call 46f084 call 403494 call 40357c * 2 call 46f03c call 403494 call 40357c * 2 call 46f03c call 47c6f0 call 46f084 call 47c6f0 call 46f084 call 47c6f0 call 46f084 call 47c6f0 call 46f084 call 47c6f0 call 46f084 call 47c6f0 call 46f084 call 47c6f0 call 46f084 call 47c6f0 call 46f084 call 47c6f0 call 46f084 call 47c6f0 934->936 935->936 999 46f717-46f725 call 46f0ac 936->999 1000 46f703-46f715 call 46f03c 936->1000 1004 46f72a 999->1004 1005 46f72b-46f774 call 46f0ac call 46f0e0 call 46f03c call 47c6f0 call 46f144 1000->1005 1004->1005 1016 46f776-46f799 call 46f0ac * 2 1005->1016 1017 46f79a-46f7a7 1005->1017 1016->1017 1019 46f876-46f87d 1017->1019 1020 46f7ad-46f7b4 1017->1020 1021 46f8d7-46f8ed RegCloseKey 1019->1021 1022 46f87f-46f8b5 call 4953c4 1019->1022 1024 46f7b6-46f7bd 1020->1024 1025 46f821-46f830 1020->1025 1022->1021 1024->1025 1029 46f7bf-46f7e3 call 430c40 1024->1029 1028 46f833-46f840 1025->1028 1032 46f857-46f870 call 430c7c call 46f0ac 1028->1032 1033 46f842-46f84f 1028->1033 1029->1028 1039 46f7e5-46f7e6 1029->1039 1042 46f875 1032->1042 1033->1032 1037 46f851-46f855 1033->1037 1037->1019 1037->1032 1041 46f7e8-46f80e call 40b25c call 479a9c 1039->1041 1047 46f810-46f816 call 430c40 1041->1047 1048 46f81b-46f81d 1041->1048 1042->1019 1047->1048 1048->1041 1050 46f81f 1048->1050 1050->1028
                                                                                                              APIs
                                                                                                                • Part of subcall function 0046F03C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,JfG,?,0049D1E0,?,0046F353,?,00000000,0046F8EE,?,_is1), ref: 0046F05F
                                                                                                                • Part of subcall function 0046F0AC: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F72A,?,?,00000000,0046F8EE,?,_is1,?), ref: 0046F0BF
                                                                                                              • RegCloseKey.ADVAPI32(?,0046F8F5,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F940,?,?,0049D1E0,00000000), ref: 0046F8E8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value$Close
                                                                                                              • String ID: " /SILENT$5.5.6 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                                              • API String ID: 3391052094-4001681900
                                                                                                              • Opcode ID: 0c8f29f64bdd0ecd06bbcfcfee9d93e2977bfa718a38598d02fb25eda312bb98
                                                                                                              • Instruction ID: 2d81112130bbfcb2548f8b376684fbb7cc3ec4c1e14eddd466eba1ede3ae6ff4
                                                                                                              • Opcode Fuzzy Hash: 0c8f29f64bdd0ecd06bbcfcfee9d93e2977bfa718a38598d02fb25eda312bb98
                                                                                                              • Instruction Fuzzy Hash: DD126735A001089BCB14EF55F881ADE73F5EB48304F60817BE854AB396EB78BD49CB59
                                                                                                              Function 00492DEC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1051 492dec-492e20 call 403684 1054 492e22-492e31 call 447010 Sleep 1051->1054 1055 492e36-492e43 call 403684 1051->1055 1060 4932c6-4932e0 call 403420 1054->1060 1061 492e72-492e7f call 403684 1055->1061 1062 492e45-492e68 call 44706c call 403738 FindWindowA call 4472ec 1055->1062 1069 492eae-492ebb call 403684 1061->1069 1070 492e81-492ea9 call 44706c call 403738 FindWindowA call 4472ec 1061->1070 1081 492e6d 1062->1081 1079 492ebd-492eff call 447010 * 4 SendMessageA call 4472ec 1069->1079 1080 492f04-492f11 call 403684 1069->1080 1070->1060 1079->1060 1089 492f60-492f6d call 403684 1080->1089 1090 492f13-492f5b call 447010 * 4 PostMessageA call 447144 1080->1090 1081->1060 1099 492fbc-492fc9 call 403684 1089->1099 1100 492f6f-492fb7 call 447010 * 4 SendNotifyMessageA call 447144 1089->1100 1090->1060 1111 492fcb-492ff1 call 44706c call 403738 RegisterClipboardFormatA call 4472ec 1099->1111 1112 492ff6-493003 call 403684 1099->1112 1100->1060 1111->1060 1127 493005-49303f call 447010 * 3 SendMessageA call 4472ec 1112->1127 1128 493044-493051 call 403684 1112->1128 1127->1060 1141 493098-4930a5 call 403684 1128->1141 1142 493053-493093 call 447010 * 3 PostMessageA call 447144 1128->1142 1151 4930ec-4930f9 call 403684 1141->1151 1152 4930a7-4930e7 call 447010 * 3 SendNotifyMessageA call 447144 1141->1152 1142->1060 1163 4930fb-493119 call 44706c call 42e3a4 1151->1163 1164 49314e-49315b call 403684 1151->1164 1152->1060 1183 49312b-493139 GetLastError call 4472ec 1163->1183 1184 49311b-493129 call 4472ec 1163->1184 1174 49315d-493189 call 44706c call 403738 call 447010 GetProcAddress 1164->1174 1175 4931d5-4931e2 call 403684 1164->1175 1208 49318b-4931c0 call 447010 * 2 call 4472ec call 447144 1174->1208 1209 4931c5-4931d0 call 447144 1174->1209 1189 49320a-493217 call 403684 1175->1189 1190 4931e4-493205 call 447010 FreeLibrary call 447144 1175->1190 1196 49313e-493149 call 4472ec 1183->1196 1184->1196 1201 493219-493237 call 44706c call 403738 CreateMutexA 1189->1201 1202 49323c-493249 call 403684 1189->1202 1190->1060 1196->1060 1201->1060 1217 49324b-49327d call 48d220 call 403574 call 403738 OemToCharBuffA call 48d238 1202->1217 1218 49327f-49328c call 403684 1202->1218 1208->1060 1209->1060 1217->1060 1227 49328e-4932c0 call 48d220 call 403574 call 403738 CharToOemBuffA call 48d238 1218->1227 1228 4932c2 1218->1228 1227->1060 1228->1060
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000000,00000000,004932E1,?,?,?,?,00000000,00000000,00000000), ref: 00492E2C
                                                                                                              • FindWindowA.USER32(00000000,00000000), ref: 00492E5D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FindSleepWindow
                                                                                                              • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                                              • API String ID: 3078808852-3310373309
                                                                                                              • Opcode ID: ab981dd30d0aee45c05a3b051f24ce0c537323c16054c62714ac7cac7fc0af63
                                                                                                              • Instruction ID: 0de698378398c76d082fe6c781760205a02602346193583708d777b6c814c377
                                                                                                              • Opcode Fuzzy Hash: ab981dd30d0aee45c05a3b051f24ce0c537323c16054c62714ac7cac7fc0af63
                                                                                                              • Instruction Fuzzy Hash: C9C18360B0821067DB14BF7E8C4261E5A999F99B05710CD7FB446EB38BCE3DDE0A425D
                                                                                                              Function 00483F60 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1621 483f60-483f85 GetModuleHandleA GetProcAddress 1622 483fec-483ff1 GetSystemInfo 1621->1622 1623 483f87-483f9d GetNativeSystemInfo GetProcAddress 1621->1623 1625 483ff6-483fff 1622->1625 1624 483f9f-483faa GetCurrentProcess 1623->1624 1623->1625 1624->1625 1634 483fac-483fb0 1624->1634 1626 48400f-484016 1625->1626 1627 484001-484005 1625->1627 1630 484031-484036 1626->1630 1628 484018-48401f 1627->1628 1629 484007-48400b 1627->1629 1628->1630 1632 48400d-48402a 1629->1632 1633 484021-484028 1629->1633 1632->1630 1633->1630 1634->1625 1636 483fb2-483fb9 call 452790 1634->1636 1636->1625 1639 483fbb-483fc8 GetProcAddress 1636->1639 1639->1625 1640 483fca-483fe1 GetModuleHandleA GetProcAddress 1639->1640 1640->1625 1641 483fe3-483fea 1640->1641 1641->1625
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483F71
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483F7E
                                                                                                              • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483F8C
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483F94
                                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483FA0
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483FC1
                                                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483FD4
                                                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483FDA
                                                                                                              • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483FF1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                                              • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                                              • API String ID: 2230631259-2623177817
                                                                                                              • Opcode ID: 2201496c5c445ff8090de454bf6ebb37dd8ee277a0fffd9fa5a8cd1afd0d38d8
                                                                                                              • Instruction ID: debdefcd9c900846d3217bdd74a69f8d0e186994afde8710a0eb2db1caaea97a
                                                                                                              • Opcode Fuzzy Hash: 2201496c5c445ff8090de454bf6ebb37dd8ee277a0fffd9fa5a8cd1afd0d38d8
                                                                                                              • Instruction Fuzzy Hash: 9E11E95180C74391D62177784C0676F2A988B92B59F080C377F80692C3DEBCC989A3AF
                                                                                                              Function 00468E4C Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1647 468e4c-468e84 call 47c6f0 1650 469066-469080 call 403420 1647->1650 1651 468e8a-468e9a call 479260 1647->1651 1656 468e9f-468ee4 call 407904 call 403738 call 42de2c 1651->1656 1662 468ee9-468eeb 1656->1662 1663 468ef1-468f06 1662->1663 1664 46905c-469060 1662->1664 1665 468f1b-468f22 1663->1665 1666 468f08-468f16 call 42dd5c 1663->1666 1664->1650 1664->1656 1668 468f24-468f46 call 42dd5c call 42dd74 1665->1668 1669 468f4f-468f56 1665->1669 1666->1665 1668->1669 1688 468f48 1668->1688 1671 468faf-468fb6 1669->1671 1672 468f58-468f7d call 42dd5c * 2 1669->1672 1674 468ffc-469003 1671->1674 1675 468fb8-468fca call 42dd5c 1671->1675 1692 468f7f-468f88 call 43156c 1672->1692 1693 468f8d-468f9f call 42dd5c 1672->1693 1677 469005-469039 call 42dd5c * 3 1674->1677 1678 46903e-469054 RegCloseKey 1674->1678 1689 468fcc-468fd5 call 43156c 1675->1689 1690 468fda-468fec call 42dd5c 1675->1690 1677->1678 1688->1669 1689->1690 1690->1674 1700 468fee-468ff7 call 43156c 1690->1700 1692->1693 1693->1671 1704 468fa1-468faa call 43156c 1693->1704 1700->1674 1704->1671
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,00469066,?,?,00000001,00000000,00000000,00469081,?,00000000,00000000,?), ref: 0046904F
                                                                                                              Strings
                                                                                                              • Inno Setup: App Path, xrefs: 00468F0E
                                                                                                              • Inno Setup: Icon Group, xrefs: 00468F2A
                                                                                                              • Inno Setup: User Info: Serial, xrefs: 00469031
                                                                                                              • Inno Setup: Deselected Components, xrefs: 00468F90
                                                                                                              • Inno Setup: User Info: Organization, xrefs: 0046901E
                                                                                                              • Inno Setup: Deselected Tasks, xrefs: 00468FDD
                                                                                                              • %s\%s_is1, xrefs: 00468EC9
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468EAB
                                                                                                              • Inno Setup: Setup Type, xrefs: 00468F5E
                                                                                                              • Inno Setup: Selected Components, xrefs: 00468F6E
                                                                                                              • Inno Setup: Selected Tasks, xrefs: 00468FBB
                                                                                                              • Inno Setup: No Icons, xrefs: 00468F37
                                                                                                              • Inno Setup: User Info: Name, xrefs: 0046900B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                              • API String ID: 47109696-1093091907
                                                                                                              • Opcode ID: 3126083cf3be9c39a66cdbe20af93384c1cff4aeea9d1100fba6d94b6d1288bc
                                                                                                              • Instruction ID: ec004eca3ef3c75e9be151f7b3ffcc37546afe520acb5c6156e930094c0c3bde
                                                                                                              • Opcode Fuzzy Hash: 3126083cf3be9c39a66cdbe20af93384c1cff4aeea9d1100fba6d94b6d1288bc
                                                                                                              • Instruction Fuzzy Hash: CA51C630A006089FDB15DB65D941BDEB7F9EF49304F6084ABE840673A1E7786F05CB4A
                                                                                                              Function 0047CAF0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 187COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 0042D8A8: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453E28,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D), ref: 0042D8BB
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                                • Part of subcall function 0042D900: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453BCE,00000000,00453C71,?,?,00000000,00000000,00000000,00000000,00000000,?,00454061,00000000), ref: 0042D91A
                                                                                                                • Part of subcall function 0042D900: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D920
                                                                                                              • SHGetKnownFolderPath.SHELL32(0049AD30,00008000,00000000,?,00000000,0047CDC6), ref: 0047CCCA
                                                                                                              • CoTaskMemFree.OLE32(?,0047CD0F), ref: 0047CD02
                                                                                                                • Part of subcall function 0042D218: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA4E,00000000,0042DAE0,?,?,?,0049C628,00000000,00000000), ref: 0042D243
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                                              • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                              • API String ID: 3771764029-544719455
                                                                                                              • Opcode ID: c632660a73aa2456bea4c2f675731a15cac3be8b36c890987e871e9594b1d94f
                                                                                                              • Instruction ID: 266a5e1eeddd24a6ff800b9f6f3b1db768c176bc66f8c93c3bb1332691642a31
                                                                                                              • Opcode Fuzzy Hash: c632660a73aa2456bea4c2f675731a15cac3be8b36c890987e871e9594b1d94f
                                                                                                              • Instruction Fuzzy Hash: 5C61A235A00204AFDB20FBA5E882A8E7F69EB45718F50C47FE448A7395C73C9A45CB5D
                                                                                                              Function 0047D2FC Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 95libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2060 47d2fc-47d352 call 42c40c call 4035c0 call 47cfc0 call 45264c 2069 47d354-47d359 call 4533b8 2060->2069 2070 47d35e-47d36d call 45264c 2060->2070 2069->2070 2074 47d387-47d38d 2070->2074 2075 47d36f-47d375 2070->2075 2076 47d3a4-47d3cc call 42e3a4 * 2 2074->2076 2077 47d38f-47d395 2074->2077 2078 47d397-47d39f call 403494 2075->2078 2079 47d377-47d37d 2075->2079 2086 47d3f3-47d40d GetProcAddress 2076->2086 2087 47d3ce-47d3ee call 407904 call 4533b8 2076->2087 2077->2076 2077->2078 2078->2076 2079->2074 2082 47d37f-47d385 2079->2082 2082->2074 2082->2078 2089 47d40f-47d414 call 4533b8 2086->2089 2090 47d419-47d436 call 403400 * 2 2086->2090 2087->2086 2089->2090
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(6F950000,SHGetFolderPathA), ref: 0047D3FE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc
                                                                                                              • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                                              • API String ID: 190572456-1343262939
                                                                                                              • Opcode ID: 4cc01edd127e64cd0f82a92db32c63990836159403836ae159d58d169a80421c
                                                                                                              • Instruction ID: d045dd866038c92064cf829f06b82d6aceddf0eaafaeaf0ab83e85e2faf6b2a6
                                                                                                              • Opcode Fuzzy Hash: 4cc01edd127e64cd0f82a92db32c63990836159403836ae159d58d169a80421c
                                                                                                              • Instruction Fuzzy Hash: 67311B70E10149AFCB10EFA9D9819EEB7B5EF44319F50847BE848E7341D738AE058B69
                                                                                                              Function 0040632C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2098 40632c-406346 GetModuleHandleA GetProcAddress 2099 406348 2098->2099 2100 40634f-40635c GetProcAddress 2098->2100 2099->2100 2101 406365-406372 GetProcAddress 2100->2101 2102 40635e 2100->2102 2103 406374-406376 SetProcessDEPPolicy 2101->2103 2104 406378-406379 2101->2104 2102->2101 2103->2104
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00499298), ref: 00406332
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040633F
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406355
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040636B
                                                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00499298), ref: 00406376
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                              • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                              • API String ID: 3256987805-3653653586
                                                                                                              • Opcode ID: 7d7bbe465618e4585c438ef3b206e32c98bc9d4bad24831f1f4b353394e5164f
                                                                                                              • Instruction ID: 9a8e57213fbd449cbda58cf554ac4ead7a6b18060d135b7a086c7f718c4e9984
                                                                                                              • Opcode Fuzzy Hash: 7d7bbe465618e4585c438ef3b206e32c98bc9d4bad24831f1f4b353394e5164f
                                                                                                              • Instruction Fuzzy Hash: C6E02DA1380701A8EA1032B20D82F3B104C8B40B69B2A24377D96B45C7DABEDD6455BD
                                                                                                              Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2105 423884-42388e 2106 4239b7-4239bb 2105->2106 2107 423894-4238b6 call 41f3d4 GetClassInfoA 2105->2107 2110 4238e7-4238f0 GetSystemMetrics 2107->2110 2111 4238b8-4238cf RegisterClassA 2107->2111 2112 4238f2 2110->2112 2113 4238f5-4238ff GetSystemMetrics 2110->2113 2111->2110 2114 4238d1-4238e2 call 408ccc call 40311c 2111->2114 2112->2113 2115 423901 2113->2115 2116 423904-423960 call 403738 call 4062f8 call 403400 call 42365c SetWindowLongA 2113->2116 2114->2110 2115->2116 2128 423962-423975 call 424188 SendMessageA 2116->2128 2129 42397a-4239a8 GetSystemMenu DeleteMenu * 2 2116->2129 2128->2129 2129->2106 2130 4239aa-4239b2 DeleteMenu 2129->2130 2130->2106
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                                              • GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
                                                                                                              • RegisterClassA.USER32(0049A630), ref: 004238C7
                                                                                                              • GetSystemMetrics.USER32(00000000), ref: 004238E9
                                                                                                              • GetSystemMetrics.USER32(00000001), ref: 004238F8
                                                                                                              • SetWindowLongA.USER32(00410470,000000FC,0042369C), ref: 00423954
                                                                                                              • SendMessageA.USER32(00410470,00000080,00000001,00000000), ref: 00423975
                                                                                                              • GetSystemMenu.USER32(00410470,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
                                                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00410470,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
                                                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410470,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
                                                                                                              • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410470,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 183575631-0
                                                                                                              • Opcode ID: dcf1e4bb608db0b13c9ea2834524852589dee19fdd42878d22a9146a5775872e
                                                                                                              • Instruction ID: 82f3192e6ade9fc2431bdc17690f87bdde911e200ecbc62aa143bb8a1c16cd18
                                                                                                              • Opcode Fuzzy Hash: dcf1e4bb608db0b13c9ea2834524852589dee19fdd42878d22a9146a5775872e
                                                                                                              • Instruction Fuzzy Hash: A93177B17402106AE710BFA5DC82F6636989714709F54017BFA44EF2D7C6BDED40876D
                                                                                                              Function 0042F5D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2133 42f5d4-42f5de 2134 42f5e0-42f5e3 call 402d30 2133->2134 2135 42f5e8-42f625 call 402b30 GetActiveWindow GetFocus call 41eeb4 2133->2135 2134->2135 2141 42f637-42f63f 2135->2141 2142 42f627-42f631 RegisterClassA 2135->2142 2143 42f6c6-42f6e2 SetFocus call 403400 2141->2143 2144 42f645-42f676 CreateWindowExA 2141->2144 2142->2141 2144->2143 2145 42f678-42f6bc call 42428c call 403738 CreateWindowExA 2144->2145 2145->2143 2152 42f6be-42f6c1 ShowWindow 2145->2152 2152->2143
                                                                                                              APIs
                                                                                                              • GetActiveWindow.USER32 ref: 0042F603
                                                                                                              • GetFocus.USER32 ref: 0042F60B
                                                                                                              • RegisterClassA.USER32(0049A7AC), ref: 0042F62C
                                                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F700,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F66A
                                                                                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F6B0
                                                                                                              • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F6C1
                                                                                                              • SetFocus.USER32(00000000,00000000,0042F6E3,?,?,?,00000001,00000000,?,004583FA,00000000,0049C628), ref: 0042F6C8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                                              • String ID: TWindowDisabler-Window
                                                                                                              • API String ID: 3167913817-1824977358
                                                                                                              • Opcode ID: 329e45f8b9a76be32e2a3852da0fb01f5e5fb6a649be07f73332a055a5178ca6
                                                                                                              • Instruction ID: d29da226113d58e61871af9e0701154b32a21c5c31e3c64538275018e3c6a7a6
                                                                                                              • Opcode Fuzzy Hash: 329e45f8b9a76be32e2a3852da0fb01f5e5fb6a649be07f73332a055a5178ca6
                                                                                                              • Instruction Fuzzy Hash: 35219771740710BAE210EFA59C43F1A76B4EF04B54F91413BF504AB2E1D7B95C1587AD
                                                                                                              Function 00453264 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2153 453264-4532b5 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2154 4532b7-4532be 2153->2154 2155 4532c0-4532c2 2153->2155 2154->2155 2156 4532c4 2154->2156 2157 4532c6-4532fc call 42e3a4 call 42e8d8 call 403400 2155->2157 2156->2157
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004532FD,?,?,?,?,00000000,?,004992DE), ref: 00453284
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045328A
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004532FD,?,?,?,?,00000000,?,004992DE), ref: 0045329E
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004532A4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                              • API String ID: 1646373207-2130885113
                                                                                                              • Opcode ID: fefb573a8bf21237f087afe8746b401672172bd733c1b35172c6518a57225724
                                                                                                              • Instruction ID: 110c83de3d6355277510abd5b52a320a2c8dd2afbae334eef16c728cb9d202ef
                                                                                                              • Opcode Fuzzy Hash: fefb573a8bf21237f087afe8746b401672172bd733c1b35172c6518a57225724
                                                                                                              • Instruction Fuzzy Hash: 5E01DF70644645AFD300BF769C02F2A3A58E705B9BF60447BFC00A62D3CA7C8A0CCA2D
                                                                                                              Function 00467228 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004672CB
                                                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004672F1
                                                                                                                • Part of subcall function 00467168: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467200
                                                                                                                • Part of subcall function 00467168: DestroyCursor.USER32(00000000), ref: 00467216
                                                                                                              • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467348
                                                                                                              • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 004673A9
                                                                                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004673CF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                                              • String ID: c:\directory$shell32.dll
                                                                                                              • API String ID: 3376378930-1375355148
                                                                                                              • Opcode ID: 8ba974db7d431cfc828555254f055e085d4bb255e1d8418bde2e11c534446a10
                                                                                                              • Instruction ID: 712749594264273e91c57dfa4baa87cbb3c5fbf3a827f6648ccfc37e71b26823
                                                                                                              • Opcode Fuzzy Hash: 8ba974db7d431cfc828555254f055e085d4bb255e1d8418bde2e11c534446a10
                                                                                                              • Instruction Fuzzy Hash: 3B515F70604204AFDB10EF65CC89FDEB7E8AB48308F1041B7F80897351D6389E80DB59
                                                                                                              Function 004309B4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegisterClipboardFormatA.USER32(commdlg_help), ref: 004309BC
                                                                                                              • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 004309CB
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 004309E5
                                                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00430A06
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                                              • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                                              • API String ID: 4130936913-2943970505
                                                                                                              • Opcode ID: c544fb85ff372cb1e77a17e690d9a21f18419a27c2c54a515182e1a09c276035
                                                                                                              • Instruction ID: 7bf223393b5a8c163278de6a14ca069cc176d79392cc0efa73562a49209d61c7
                                                                                                              • Opcode Fuzzy Hash: c544fb85ff372cb1e77a17e690d9a21f18419a27c2c54a515182e1a09c276035
                                                                                                              • Instruction Fuzzy Hash: 2FF082709583409BC300FB6598427197BE0AB58308F00567FB458A2291E77C9900CB5F
                                                                                                              Function 00455084 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,004552A0,004552A0,00000031,004552A0,00000000), ref: 0045522E
                                                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,004552A0,004552A0,00000031,004552A0), ref: 0045523B
                                                                                                                • Part of subcall function 00454FF0: WaitForInputIdle.USER32(00000001,00000032), ref: 0045501C
                                                                                                                • Part of subcall function 00454FF0: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 0045503E
                                                                                                                • Part of subcall function 00454FF0: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 0045504D
                                                                                                                • Part of subcall function 00454FF0: CloseHandle.KERNEL32(00000001,0045507A,00455073,?,00000031,00000080,00000000,?,?,004553D3,00000080,0000003C,00000000,004553E9), ref: 0045506D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                                              • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                                              • API String ID: 854858120-615399546
                                                                                                              • Opcode ID: d2a51973db6fb381566d3318c8d1c64650a6deee5eec0096a1c7ebc239f8887e
                                                                                                              • Instruction ID: fd2d6d40b6f8736679a78553b36ca572aba09dccd5489fff61a9141705bf80db
                                                                                                              • Opcode Fuzzy Hash: d2a51973db6fb381566d3318c8d1c64650a6deee5eec0096a1c7ebc239f8887e
                                                                                                              • Instruction Fuzzy Hash: 26516D30A0071DABDF01EF95C852BEEBBB9AF44345F50407BF804B7282D7785A098B59
                                                                                                              Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                                              • OemToCharA.USER32(?,?), ref: 0042376C
                                                                                                              • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Char$FileIconLoadLowerModuleName
                                                                                                              • String ID: 2$MAINICON
                                                                                                              • API String ID: 3935243913-3181700818
                                                                                                              • Opcode ID: 94be23ded0f0311b18ce29275d80a7e53a17d1ad05c6cae946e4599a61e1d5ea
                                                                                                              • Instruction ID: 6f4b3398584102735ad00b8493fe389bc1dbaef6f787fac7706901cc0cbf584f
                                                                                                              • Opcode Fuzzy Hash: 94be23ded0f0311b18ce29275d80a7e53a17d1ad05c6cae946e4599a61e1d5ea
                                                                                                              • Instruction Fuzzy Hash: 23319370A042549ADF10EF69C8C57C67BE8AF14308F4441BAE844DB393D7BED988CB69
                                                                                                              Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
                                                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00418F89
                                                                                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA
                                                                                                                • Part of subcall function 004230D8: GetDC.USER32(00000000), ref: 0042312E
                                                                                                                • Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410470,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                                                • Part of subcall function 004230D8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423149
                                                                                                                • Part of subcall function 004230D8: ReleaseDC.USER32(00000000,00000000), ref: 00423154
                                                                                                                • Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                                                                • Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                                                                • Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
                                                                                                                • Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                                                                • Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                                                • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                                                • Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                                                • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                                                • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                                              • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                                              • API String ID: 316262546-2767913252
                                                                                                              • Opcode ID: 13d9bdced9750e67f73d93ec74d54abaa35f495c5bba4d3cc3e2f323313cf858
                                                                                                              • Instruction ID: b4be2cf3334f9eeef2f7e30357217019d1f7f37f78cfa945b19fc5b38c57745f
                                                                                                              • Opcode Fuzzy Hash: 13d9bdced9750e67f73d93ec74d54abaa35f495c5bba4d3cc3e2f323313cf858
                                                                                                              • Instruction Fuzzy Hash: CE112CB06142409BC740FF66998278A7BE1AB68308F40943FF848E7291DB3DAD458B1E
                                                                                                              Function 0041364C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
                                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0041367F
                                                                                                              • GetWindowLongA.USER32(?,000000F4), ref: 00413691
                                                                                                              • SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
                                                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136BB
                                                                                                              • SetPropA.USER32(?,00000000,00000000), ref: 004136D2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LongWindow$Prop
                                                                                                              • String ID:
                                                                                                              • API String ID: 3887896539-0
                                                                                                              • Opcode ID: 34b367db4fa110d3f73a4511ae8beb0e64a5e5a51f2810bc4cb64f6c76f31942
                                                                                                              • Instruction ID: 3f72449cbd34e5f3a25e72b7cfa2937fee5ee0203059de802df544128507dfad
                                                                                                              • Opcode Fuzzy Hash: 34b367db4fa110d3f73a4511ae8beb0e64a5e5a51f2810bc4cb64f6c76f31942
                                                                                                              • Instruction Fuzzy Hash: DA11CC76100244BFDF00DF99DC84E9A37E8AB19364F104266B918DB3E2D739E9909B99
                                                                                                              Function 00455780 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00455917,?,00000000,00455957), ref: 0045585D
                                                                                                              Strings
                                                                                                              • PendingFileRenameOperations2, xrefs: 0045582C
                                                                                                              • PendingFileRenameOperations, xrefs: 004557FC
                                                                                                              • WININIT.INI, xrefs: 0045588C
                                                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004557E0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                                              • API String ID: 47109696-2199428270
                                                                                                              • Opcode ID: d6aaa45444c4cce775ea3ed1e02519811f6359e75aa14beb5e2e26aef1c4477d
                                                                                                              • Instruction ID: 0edf169a16dfa4fb7533b8b55fc7b889579560f25e46b257abcc71cf1b5dc2f9
                                                                                                              • Opcode Fuzzy Hash: d6aaa45444c4cce775ea3ed1e02519811f6359e75aa14beb5e2e26aef1c4477d
                                                                                                              • Instruction Fuzzy Hash: AB519874E00608DBDB10EF62DC51AEEB7B9EF44315F50847BEC04A7292DB7CAA45CA58
                                                                                                              Function 0047D018 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047D16E,?,?,00000000,0049C628,00000000,00000000,?,00498C11,00000000,00498DBA,?,00000000), ref: 0047D0AB
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0047D16E,?,?,00000000,0049C628,00000000,00000000,?,00498C11,00000000,00498DBA,?,00000000), ref: 0047D0B4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                              • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                                              • API String ID: 1375471231-2952887711
                                                                                                              • Opcode ID: 25c04a0431a7ee364bf77b853a87c64d84ba0ee8a91acc81a543a28b47532cb6
                                                                                                              • Instruction ID: c65adf921b1b6e4579252068e4265065b5a45be28dde5098669b3b5892976db2
                                                                                                              • Opcode Fuzzy Hash: 25c04a0431a7ee364bf77b853a87c64d84ba0ee8a91acc81a543a28b47532cb6
                                                                                                              • Instruction Fuzzy Hash: F9411674E101099BDB01EF95DC82ADEB7B9EF45309F50853BE81477392DB38AE058B68
                                                                                                              Function 00423A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                                              • GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                                              • SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$EnumLongWindows
                                                                                                              • String ID: lAB
                                                                                                              • API String ID: 4191631535-3476862382
                                                                                                              • Opcode ID: 7dcdbb5f1d382cba8886e06331430e6d6fce3cff686b988b3074a9d4c358ab09
                                                                                                              • Instruction ID: 1d232068e43b915345d7588b37cc7287aafbcd058231e570564fb52883b43028
                                                                                                              • Opcode Fuzzy Hash: 7dcdbb5f1d382cba8886e06331430e6d6fce3cff686b988b3074a9d4c358ab09
                                                                                                              • Instruction Fuzzy Hash: E3115E70704610ABDB10AF28DC85F5A77E8EB08725F50026AF9A49B2E7C378DD40CB58
                                                                                                              Function 0042DE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE60
                                                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFFB,00000000,0042E013,?,?,?,?,00000006,?,00000000,00497F35), ref: 0042DE7B
                                                                                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE81
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressDeleteHandleModuleProc
                                                                                                              • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                                              • API String ID: 588496660-1846899949
                                                                                                              • Opcode ID: 780e4264db312733bee64b8429de1b59d21d94b92bca9a45197840037c94c444
                                                                                                              • Instruction ID: 9cada17f2adbafa0ebcb77ec43832f820b82eaaa71c9ca0bcc52793b6cf27115
                                                                                                              • Opcode Fuzzy Hash: 780e4264db312733bee64b8429de1b59d21d94b92bca9a45197840037c94c444
                                                                                                              • Instruction Fuzzy Hash: EFE065B1B40A70BAD62036657C89B972718DB79325F615537F105A91D182BC1C40CE9C
                                                                                                              Function 0046BC10 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • PrepareToInstall failed: %s, xrefs: 0046BF6E
                                                                                                              • NextButtonClick, xrefs: 0046BD4C
                                                                                                              • Need to restart Windows? %s, xrefs: 0046BF95
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                                              • API String ID: 0-2329492092
                                                                                                              • Opcode ID: 2482342cf09780f3cc85a79916584030efb236fd66ea0455236200f368d4c793
                                                                                                              • Instruction ID: 9b4fd168f37c7da821868febde12ed9d5c4eb704a6c877b85ca6115e961808cc
                                                                                                              • Opcode Fuzzy Hash: 2482342cf09780f3cc85a79916584030efb236fd66ea0455236200f368d4c793
                                                                                                              • Instruction Fuzzy Hash: ECD12B34A00109DFCB10EFA9D585AEE77F5EF49304F6440BAE404AB352E778AE45CB5A
                                                                                                              Function 00483568 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetActiveWindow.USER32(?,?,00000000,004838B9), ref: 0048368C
                                                                                                              • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 0048372A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ActiveChangeNotifyWindow
                                                                                                              • String ID: $Need to restart Windows? %s
                                                                                                              • API String ID: 1160245247-4200181552
                                                                                                              • Opcode ID: 1d42271db157847063bc1684c76a3f1b571b73f0fbe1024385b2a1440cdba256
                                                                                                              • Instruction ID: ac7489165aebe6410750fc54bddbdfbbf0a744a872c0faa15b6e968571d36d29
                                                                                                              • Opcode Fuzzy Hash: 1d42271db157847063bc1684c76a3f1b571b73f0fbe1024385b2a1440cdba256
                                                                                                              • Instruction Fuzzy Hash: 2891B274A042449FCB11FF69D885B9D7BE0AF59709F0044BBE8009B362D778AE49CB5E
                                                                                                              Function 0046FCD4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                                              • GetLastError.KERNEL32(00000000,0046FED1,?,?,0049D1E0,00000000), ref: 0046FDAE
                                                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FE28
                                                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FE4D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                                              • String ID: Creating directory: %s
                                                                                                              • API String ID: 2451617938-483064649
                                                                                                              • Opcode ID: 117d1655f334007bf170a7645c0ff38e0762150d831baea0a8383fbe162a65f0
                                                                                                              • Instruction ID: bfe09206507b5b37383d903e763d781286b330fb05695de0be9d4a8a79558abe
                                                                                                              • Opcode Fuzzy Hash: 117d1655f334007bf170a7645c0ff38e0762150d831baea0a8383fbe162a65f0
                                                                                                              • Instruction Fuzzy Hash: 73513074E00248ABDB01DBA5D982BDEBBF5AF48304F50857AE840B7392D7795E08CB59
                                                                                                              Function 00454E48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454EF6
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454FBC), ref: 00454F60
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressByteCharMultiProcWide
                                                                                                              • String ID: SfcIsFileProtected$sfc.dll
                                                                                                              • API String ID: 2508298434-591603554
                                                                                                              • Opcode ID: f5f955375822eed2e595ad3cd825f11fb59e8bcedfb5ba1d29721425109c3d67
                                                                                                              • Instruction ID: fbb3ec6cd5b50b63fd35f8a1b68fa202e0926d3941eb24adcf984c27ed24a225
                                                                                                              • Opcode Fuzzy Hash: f5f955375822eed2e595ad3cd825f11fb59e8bcedfb5ba1d29721425109c3d67
                                                                                                              • Instruction Fuzzy Hash: E041A931A04218AFE710DB59DC85B9DB7B8AB4430DF5041BBA908A7293D7789F89CB1D
                                                                                                              Function 00452584 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • 74D41520.VERSION(00000000,?,?,?,00497FD8), ref: 004525A4
                                                                                                              • 74D41500.VERSION(00000000,?,00000000,?,00000000,0045261F,?,00000000,?,?,?,00497FD8), ref: 004525D1
                                                                                                              • 74D41540.VERSION(?,00452648,?,?,00000000,?,00000000,?,00000000,0045261F,?,00000000,?,?,?,00497FD8), ref: 004525EB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: D41500D41520D41540
                                                                                                              • String ID: Y&E
                                                                                                              • API String ID: 2153611984-1497692694
                                                                                                              • Opcode ID: fc37f08206c8e69686d66defdddf94d54b59a29bfc554a83f5df64d87965b3cc
                                                                                                              • Instruction ID: fe46317749af1235fc1090c5145677311abee9a989b9ebf20271da6a38a4ce9d
                                                                                                              • Opcode Fuzzy Hash: fc37f08206c8e69686d66defdddf94d54b59a29bfc554a83f5df64d87965b3cc
                                                                                                              • Instruction Fuzzy Hash: 89218471A00608AFDB01DAA98D41DAFB7FCEB4A701F55407BFD00E3382D6B99E058769
                                                                                                              Function 0042ED48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDD5
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                                • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                                • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                              • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDB8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                                                                              • API String ID: 395431579-1506664499
                                                                                                              • Opcode ID: 3de1580a20e5846b3bf850ea20a659677e30c94afd1c16767df8fe2661d1b0b7
                                                                                                              • Instruction ID: c6c149a21ca36cce9dc82633ca781001b445ce448e924a27762e383bc0e4c558
                                                                                                              • Opcode Fuzzy Hash: 3de1580a20e5846b3bf850ea20a659677e30c94afd1c16767df8fe2661d1b0b7
                                                                                                              • Instruction Fuzzy Hash: 9611A331B40214BBD711EB62EC81B9E7BA8DB55704F90447BF400A6691DBB89E058A6C
                                                                                                              Function 00455AB8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,00455B23,?,00000001,00000000), ref: 00455B16
                                                                                                              Strings
                                                                                                              • PendingFileRenameOperations2, xrefs: 00455AF7
                                                                                                              • PendingFileRenameOperations, xrefs: 00455AE8
                                                                                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455AC4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                              • API String ID: 47109696-2115312317
                                                                                                              • Opcode ID: 9594d32001f92b62c42cae89211f3ede8d7d24e47fbd6904b7643db8322ef9a1
                                                                                                              • Instruction ID: 8ecee5c25e066e5253f0bac752b33d84760847f1c596038c9bfe8eab8c09834c
                                                                                                              • Opcode Fuzzy Hash: 9594d32001f92b62c42cae89211f3ede8d7d24e47fbd6904b7643db8322ef9a1
                                                                                                              • Instruction Fuzzy Hash: 62F06D71604A08ABE704D666EC2BA3F73ACD745711FA0446AF80096682EA7DBD04966C
                                                                                                              Function 00472350 Relevance: 6.3, APIs: 4, Instructions: 272fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00472521,?,00000000,?,0049D1E0,00000000,00472711,?,00000000,?,00000000,?,004728DD), ref: 004724FD
                                                                                                              • FindClose.KERNEL32(000000FF,00472528,00472521,?,00000000,?,0049D1E0,00000000,00472711,?,00000000,?,00000000,?,004728DD,?), ref: 0047251B
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00472643,?,00000000,?,0049D1E0,00000000,00472711,?,00000000,?,00000000,?,004728DD), ref: 0047261F
                                                                                                              • FindClose.KERNEL32(000000FF,0047264A,00472643,?,00000000,?,0049D1E0,00000000,00472711,?,00000000,?,00000000,?,004728DD,?), ref: 0047263D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFileNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 2066263336-0
                                                                                                              • Opcode ID: 2ebc6e526ef3f332d7d23b3c970b82b2693ae9964aad5ea01d0d0e8cb2a6954e
                                                                                                              • Instruction ID: 7a1bd4c17f6bec3c86e88fdd6a66a52641a18dd0aa7136e5d167ac57a2fd4188
                                                                                                              • Opcode Fuzzy Hash: 2ebc6e526ef3f332d7d23b3c970b82b2693ae9964aad5ea01d0d0e8cb2a6954e
                                                                                                              • Instruction Fuzzy Hash: EFC13A7090424DAFCF11DFA5C981ADEBBB8BF48304F5085AAE848B3291D7789E46CF54
                                                                                                              Function 0048017C Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,00480375,?,00000000,00000000,?,?,00481625,?,?,00000000), ref: 00480222
                                                                                                              • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,00480375,?,00000000,00000000,?,?,00481625,?,?), ref: 0048022F
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00480348,?,?,?,?,00000000,00480375,?,00000000,00000000,?,?,00481625), ref: 00480324
                                                                                                              • FindClose.KERNEL32(000000FF,0048034F,00480348,?,?,?,?,00000000,00480375,?,00000000,00000000,?,?,00481625,?), ref: 00480342
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFileNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 2066263336-0
                                                                                                              • Opcode ID: c9213149dad22109f0a90e82e8ac420b2eeb9db7d2efcfc5c24199a260e086dc
                                                                                                              • Instruction ID: 9f58e88908a8a949c71addf9751e3e387abd808faae0fc06516958b92eae9c2a
                                                                                                              • Opcode Fuzzy Hash: c9213149dad22109f0a90e82e8ac420b2eeb9db7d2efcfc5c24199a260e086dc
                                                                                                              • Instruction Fuzzy Hash: EF514071A00648AFCB61EFA5CC45ADEB7B8EB48315F1044AAA808E7351D6389F89CF54
                                                                                                              Function 00421284 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetMenu.USER32(00000000), ref: 00421371
                                                                                                              • SetMenu.USER32(00000000,00000000), ref: 0042138E
                                                                                                              • SetMenu.USER32(00000000,00000000), ref: 004213C3
                                                                                                              • SetMenu.USER32(00000000,00000000), ref: 004213DF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu
                                                                                                              • String ID:
                                                                                                              • API String ID: 3711407533-0
                                                                                                              • Opcode ID: e1bfbeb149fb62e2ad3ad2db837168bd52a0f21d6f4abec7b0304e20cb9d907d
                                                                                                              • Instruction ID: e7a4369f7fbd106bab2429e1e1dd333134a7e32046ee40fa4552f8195e128e42
                                                                                                              • Opcode Fuzzy Hash: e1bfbeb149fb62e2ad3ad2db837168bd52a0f21d6f4abec7b0304e20cb9d907d
                                                                                                              • Instruction Fuzzy Hash: 3F41BE3070026457EB20EA7AA88579B26965F69318F4815BFBC40DF3A3CA7DCC49839D
                                                                                                              Function 00416B52 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(?,?,?,?), ref: 00416B94
                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 00416BAE
                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 00416BC8
                                                                                                              • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$CallMessageProcSendTextWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 601730667-0
                                                                                                              • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                              • Instruction ID: 87133af12c35957a9f748eb5c35761c869d5d8ea54ed11f3f8892641f8a911b8
                                                                                                              • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                              • Instruction Fuzzy Hash: A71151B5600A04AFC710EE6ECC84E8773ECDF48314715843EB59ADB612D63CF8418B69
                                                                                                              Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 0042312E
                                                                                                              • EnumFontsA.GDI32(00000000,00000000,00423078,00410470,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423149
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00423154
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CapsDeviceEnumFontsRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 2698912916-0
                                                                                                              • Opcode ID: 94eb306c5e826a01f1e4729cfd5040e8a639f913efc3b2db58b8d9c882bc8d8f
                                                                                                              • Instruction ID: 95c686a17d04cc75fabac772af01a2849e5ccccd572a20f260adec4fb0f0daed
                                                                                                              • Opcode Fuzzy Hash: 94eb306c5e826a01f1e4729cfd5040e8a639f913efc3b2db58b8d9c882bc8d8f
                                                                                                              • Instruction Fuzzy Hash: 7D01DE617043002AE310BF7A5C82BAB3BA49F05319F40027FF908AA3C2D67E9C0447AE
                                                                                                              Function 0040627C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GlobalHandle.KERNEL32 ref: 0040627F
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00406286
                                                                                                              • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040628B
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00406291
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$AllocHandleLockUnlock
                                                                                                              • String ID:
                                                                                                              • API String ID: 2167344118-0
                                                                                                              • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                              • Instruction ID: 024a49765fc045a09389489d8ed5919b86daafa6bea6a005e9f609907830066e
                                                                                                              • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                              • Instruction Fuzzy Hash: 64B009C6925A46B8EC0473B24C4BD3F041CE88472C3809A6E7554BA0839C7C9C002E3A
                                                                                                              Function 0045C30C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004509A0: SetEndOfFile.KERNEL32(?,?,0045C3EA,00000000,0045C575,?,00000000,00000002,00000002), ref: 004509A7
                                                                                                              • FlushFileBuffers.KERNEL32(?), ref: 0045C541
                                                                                                              Strings
                                                                                                              • EndOffset range exceeded, xrefs: 0045C475
                                                                                                              • NumRecs range exceeded, xrefs: 0045C43E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$BuffersFlush
                                                                                                              • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                                              • API String ID: 3593489403-659731555
                                                                                                              • Opcode ID: aa52e399180f0699983c3f92ff45f69b6c274b580d00465cafb9d74568cd5a77
                                                                                                              • Instruction ID: 57127da9839884e48f93c65e4688b7b5a24f3d4ce709f11da5987aa0442ebed2
                                                                                                              • Opcode Fuzzy Hash: aa52e399180f0699983c3f92ff45f69b6c274b580d00465cafb9d74568cd5a77
                                                                                                              • Instruction Fuzzy Hash: E461A234A003588FDB25DF25C891AD9B7B5EF49305F0084DAED89AB352DA74AEC8CF54
                                                                                                              Function 00499280 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049928E), ref: 0040334B
                                                                                                                • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049928E), ref: 00403356
                                                                                                                • Part of subcall function 0040632C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00499298), ref: 00406332
                                                                                                                • Part of subcall function 0040632C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040633F
                                                                                                                • Part of subcall function 0040632C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406355
                                                                                                                • Part of subcall function 0040632C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040636B
                                                                                                                • Part of subcall function 0040632C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00499298), ref: 00406376
                                                                                                                • Part of subcall function 004063D4: 6F551CD0.COMCTL32(0049929D), ref: 004063D4
                                                                                                                • Part of subcall function 00410774: GetCurrentThreadId.KERNEL32 ref: 004107C2
                                                                                                                • Part of subcall function 00419050: GetVersion.KERNEL32(004992B6), ref: 00419050
                                                                                                                • Part of subcall function 0044F7B8: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004992CA), ref: 0044F7F3
                                                                                                                • Part of subcall function 0044F7B8: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F7F9
                                                                                                                • Part of subcall function 0044FC84: GetVersionExA.KERNEL32(0049C790,004992CF), ref: 0044FC93
                                                                                                                • Part of subcall function 00453264: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004532FD,?,?,?,?,00000000,?,004992DE), ref: 00453284
                                                                                                                • Part of subcall function 00453264: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045328A
                                                                                                                • Part of subcall function 00453264: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004532FD,?,?,?,?,00000000,?,004992DE), ref: 0045329E
                                                                                                                • Part of subcall function 00453264: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004532A4
                                                                                                                • Part of subcall function 0045715C: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00457180
                                                                                                                • Part of subcall function 0046469C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004992F2), ref: 004646AB
                                                                                                                • Part of subcall function 0046469C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 004646B1
                                                                                                                • Part of subcall function 0046CEF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CF05
                                                                                                                • Part of subcall function 0047905C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004992FC), ref: 00479062
                                                                                                                • Part of subcall function 0047905C: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047906F
                                                                                                                • Part of subcall function 0047905C: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047907F
                                                                                                                • Part of subcall function 0048446C: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0048455B
                                                                                                                • Part of subcall function 0049628C: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 004962A5
                                                                                                              • SetErrorMode.KERNEL32(00000001,00000000,00499344), ref: 00499316
                                                                                                                • Part of subcall function 00499040: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00499320,00000001,00000000,00499344), ref: 0049904A
                                                                                                                • Part of subcall function 00499040: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00499050
                                                                                                                • Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503
                                                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                              • ShowWindow.USER32(?,00000005,00000000,00499344), ref: 00499377
                                                                                                                • Part of subcall function 00482AAC: SetActiveWindow.USER32(?), ref: 00482B5A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                                              • String ID: Setup
                                                                                                              • API String ID: 3870281231-3839654196
                                                                                                              • Opcode ID: 15cfdf88744bc512192f40e420d66a265f79e019c942488644b8f35a08c257c3
                                                                                                              • Instruction ID: 0ced0f24ac175d21b3299cf0cac8cd2bc44ae01cd64648103e70fccb26a7f3a2
                                                                                                              • Opcode Fuzzy Hash: 15cfdf88744bc512192f40e420d66a265f79e019c942488644b8f35a08c257c3
                                                                                                              • Instruction Fuzzy Hash: A231C6312086408FD6117BBBEC5365D3BA8EB8D718BA2447FF80496693DE3D5C118A7E
                                                                                                              Function 00453A98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B87,?,?,00000000,0049C628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453ADE
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B87,?,?,00000000,0049C628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453AE7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                              • String ID: .tmp
                                                                                                              • API String ID: 1375471231-2986845003
                                                                                                              • Opcode ID: 2ed80e6416608dc6150e1b9fc551355d0b346647940dac95e05b365424d6ca6b
                                                                                                              • Instruction ID: ff9a18ef253650dbf03605879231b3438c9749bdb0146341c5730265e1144e14
                                                                                                              • Opcode Fuzzy Hash: 2ed80e6416608dc6150e1b9fc551355d0b346647940dac95e05b365424d6ca6b
                                                                                                              • Instruction Fuzzy Hash: A4213674A00208ABDB01EFA5C8529EEB7B8EB44315F50457BF801B7342DA389F058B69
                                                                                                              Function 0048446C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00483F60: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483F71
                                                                                                                • Part of subcall function 00483F60: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483F7E
                                                                                                                • Part of subcall function 00483F60: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483F8C
                                                                                                                • Part of subcall function 00483F60: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483F94
                                                                                                                • Part of subcall function 00483F60: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483FA0
                                                                                                                • Part of subcall function 00483F60: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483FC1
                                                                                                                • Part of subcall function 00483F60: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483FD4
                                                                                                                • Part of subcall function 00483F60: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483FDA
                                                                                                                • Part of subcall function 0048428C: GetVersionExA.KERNEL32(?,0048449E,00000000,00484573,?,?,?,?,?,00499301), ref: 0048429A
                                                                                                                • Part of subcall function 0048428C: GetVersionExA.KERNEL32(0000009C,?,0048449E,00000000,00484573,?,?,?,?,?,00499301), ref: 004842EC
                                                                                                                • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                                • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                              • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0048455B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                                              • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                                              • API String ID: 3869789854-2936008475
                                                                                                              • Opcode ID: 177ecd477187cf0aa2f8efa4f2166874e312c59e244f709b907e4e614229d51f
                                                                                                              • Instruction ID: 72a1cd0c007ae7d2331b3d049f57d6a032e0567b1decddf8ad8e9e8191a8a5bf
                                                                                                              • Opcode Fuzzy Hash: 177ecd477187cf0aa2f8efa4f2166874e312c59e244f709b907e4e614229d51f
                                                                                                              • Instruction Fuzzy Hash: D821EFB0A243416AC700BFBE596614A3BA5EB9471C390493BF800EB3D1D67E6414AB6E
                                                                                                              Function 0047CA5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047CDB0,00000000,0047CDC6), ref: 0047CABE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID: RegisteredOrganization$RegisteredOwner
                                                                                                              • API String ID: 3535843008-1113070880
                                                                                                              • Opcode ID: 6f9c09efad981c5bd73ac330414f3a1e85251ce5b1d1905e82279f7a283c4c8b
                                                                                                              • Instruction ID: 80e31e652a078fa29572911d568a821ff54af8e3d41ae7cfbc3eead46bc77173
                                                                                                              • Opcode Fuzzy Hash: 6f9c09efad981c5bd73ac330414f3a1e85251ce5b1d1905e82279f7a283c4c8b
                                                                                                              • Instruction Fuzzy Hash: 99F09021B04108ABD710D664EC82B9B33A9D741308F24847FA1049B351D679AE00975C
                                                                                                              Function 0046F03C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,JfG,?,0049D1E0,?,0046F353,?,00000000,0046F8EE,?,_is1), ref: 0046F05F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value
                                                                                                              • String ID: Inno Setup: Setup Version$JfG
                                                                                                              • API String ID: 3702945584-2837433363
                                                                                                              • Opcode ID: ba37289afc6bf64f1b4e35152e82186c6909c63cd97613f7ebaef7afec976743
                                                                                                              • Instruction ID: 9307b71ef0b0d9a21e7f4f46c2dc1735a92df317579ad27da25cacea1a1ff421
                                                                                                              • Opcode Fuzzy Hash: ba37289afc6bf64f1b4e35152e82186c6909c63cd97613f7ebaef7afec976743
                                                                                                              • Instruction Fuzzy Hash: 0AE06D713016047FD710AA6B9C85F5BABDCDF88365F00403AB908DB392D578DD0042A8
                                                                                                              Function 00475688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004758BF), ref: 004756AD
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,004758BF), ref: 004756C4
                                                                                                                • Part of subcall function 00453510: GetLastError.KERNEL32(00000000,004540A5,00000005,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D,00000000), ref: 00453513
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateErrorFileHandleLast
                                                                                                              • String ID: CreateFile
                                                                                                              • API String ID: 2528220319-823142352
                                                                                                              • Opcode ID: 987bab987f918cbbcd4a0fbcaaf07fd7f86d6a420f73eccc9c31e808c1deb67f
                                                                                                              • Instruction ID: 806dc226f5a2fe5ebbb1f055bcab6d135f745baec99644e0dc49489f7e0d9994
                                                                                                              • Opcode Fuzzy Hash: 987bab987f918cbbcd4a0fbcaaf07fd7f86d6a420f73eccc9c31e808c1deb67f
                                                                                                              • Instruction Fuzzy Hash: E4E06D303403447BEA10EA79DCC6F4A77989B04778F108151FA48AF3E2C5B9FC408A58
                                                                                                              Function 0045715C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004570EC: CoInitialize.OLE32(00000000), ref: 004570F2
                                                                                                                • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                                • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                              • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00457180
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                                              • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                              • API String ID: 2906209438-2320870614
                                                                                                              • Opcode ID: cc1147c2e1d815ada544a8deacfd39f8fc5ac30e44f7f731c453ecb89e44e363
                                                                                                              • Instruction ID: 9c527047bf7e84dae422e031a0d6d6e9bbae4a3d03e504f065b317ec79f67602
                                                                                                              • Opcode Fuzzy Hash: cc1147c2e1d815ada544a8deacfd39f8fc5ac30e44f7f731c453ecb89e44e363
                                                                                                              • Instruction Fuzzy Hash: 6AC04CA0B4591066C70077B6AC0361F24459B4072FB14C07BBD44A7787CE3D884D6A6E
                                                                                                              Function 0046CEF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042E3A4: SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                                • Part of subcall function 0042E3A4: LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                              • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CF05
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressErrorLibraryLoadModeProc
                                                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                              • API String ID: 2492108670-2683653824
                                                                                                              • Opcode ID: b39adebe5b5dd13606c39516680d492bcb389ea4347c3d86a6e1c09172fda979
                                                                                                              • Instruction ID: 33f7e53ae4e5ba8297804bd6606edee94f75655c5a8d17986cd3cb8a189a0b51
                                                                                                              • Opcode Fuzzy Hash: b39adebe5b5dd13606c39516680d492bcb389ea4347c3d86a6e1c09172fda979
                                                                                                              • Instruction Fuzzy Hash: CDB092B0A146405ACB446772988262B20069B4071DF60843BB4C4AB6D9EABC88492B9F
                                                                                                              Function 004485A0 Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,0044877D), ref: 004486C0
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00448741
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID:
                                                                                                              • API String ID: 2574300362-0
                                                                                                              • Opcode ID: 9192854c716958fcf12a54fd54f15ae173329ead0ce31acd6b56a672af8f6247
                                                                                                              • Instruction ID: 67510ac2dd358758032eb9bd0b15bc7699fd1d5ac1297ef1938a655c08aa7b0d
                                                                                                              • Opcode Fuzzy Hash: 9192854c716958fcf12a54fd54f15ae173329ead0ce31acd6b56a672af8f6247
                                                                                                              • Instruction Fuzzy Hash: 89515574E00109AFDB10EF95C891A9EB7F9EB44315F20817FE814BB391CA789E05CB99
                                                                                                              Function 00482160 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMenu.USER32(00000000,00000000,00000000,00482298), ref: 00482230
                                                                                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00482241
                                                                                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00482259
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Append$System
                                                                                                              • String ID:
                                                                                                              • API String ID: 1489644407-0
                                                                                                              • Opcode ID: b0f6966b6a184f1facb0a871f26b18c64fa7cdea68dfa8979e13f5b501864372
                                                                                                              • Instruction ID: a26f55f7f9cdec50315d50fbbd1418f41be5c601f9b239732c1f252fb764c371
                                                                                                              • Opcode Fuzzy Hash: b0f6966b6a184f1facb0a871f26b18c64fa7cdea68dfa8979e13f5b501864372
                                                                                                              • Instruction Fuzzy Hash: FE31CD707043451BD721BB368D86B9E3B949B5A318F50197FF900AA3E3CABC9D09839D
                                                                                                              Function 0044B400 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 0044B475
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0044B498
                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 0044B4CB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ObjectReleaseSelect
                                                                                                              • String ID:
                                                                                                              • API String ID: 1831053106-0
                                                                                                              • Opcode ID: a18c564e5665bffaeec971d30f69da7c159b46b6830c6159626304e36c153c38
                                                                                                              • Instruction ID: 7b4e641b5f80a70363e1f29cb6207b12473e64a09d761e596b30cfa5093ee172
                                                                                                              • Opcode Fuzzy Hash: a18c564e5665bffaeec971d30f69da7c159b46b6830c6159626304e36c153c38
                                                                                                              • Instruction Fuzzy Hash: FE217970E04344BFEB11DFA5C841B9EBBB8DB49304F51807AF900A6292D77CD940CB59
                                                                                                              Function 0044B134 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B1C0,?,00482AC7,?,?), ref: 0044B192
                                                                                                              • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B1A5
                                                                                                              • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B1D9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DrawText$ByteCharMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 65125430-0
                                                                                                              • Opcode ID: 9eed18fe0356815f810c820b6721896f6c4265f9db16303b213c34b2c03d3f04
                                                                                                              • Instruction ID: 63060d4c4a21d3a06b37f0b793f587d40fe85ad593019d515c43c5dd919fcfdf
                                                                                                              • Opcode Fuzzy Hash: 9eed18fe0356815f810c820b6721896f6c4265f9db16303b213c34b2c03d3f04
                                                                                                              • Instruction Fuzzy Hash: 3111CBB27046047FEB11DB6A9C82D6F77ECDB49750F10417BF504D72D0D6389E018669
                                                                                                              Function 0042440C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
                                                                                                              • TranslateMessage.USER32(?), ref: 0042449F
                                                                                                              • DispatchMessageA.USER32(?), ref: 004244A9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$DispatchPeekTranslate
                                                                                                              • String ID:
                                                                                                              • API String ID: 4217535847-0
                                                                                                              • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                              • Instruction ID: 24a07c1e81c585bad35552c3917a3e7b04f02dd2aaee7f9545dc892aa94dfb52
                                                                                                              • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                              • Instruction Fuzzy Hash: AE119E307043205AEE20FA64AD41B9B73D4DFE1708F80881EF8D997382D77D9E49879A
                                                                                                              Function 00416654 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetPropA.USER32(00000000,00000000), ref: 0041667A
                                                                                                              • SetPropA.USER32(00000000,00000000), ref: 0041668F
                                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Prop$Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 3363284559-0
                                                                                                              • Opcode ID: 9ba9d7b7418b74f48756624976096bebc6fb66c7a646a8b19f5d3d1e069ceb03
                                                                                                              • Instruction ID: 86f537f0b59e140ef7690159b30d1f2105a0adb91ae91f828a802e84d443a7b9
                                                                                                              • Opcode Fuzzy Hash: 9ba9d7b7418b74f48756624976096bebc6fb66c7a646a8b19f5d3d1e069ceb03
                                                                                                              • Instruction Fuzzy Hash: 4AF0BD72741220ABE710AB598C85FA632ECAB0D715F16017ABA05EF286C679DC4087A8
                                                                                                              Function 0041EE64 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindowVisible.USER32(?), ref: 0041EE74
                                                                                                              • IsWindowEnabled.USER32(?), ref: 0041EE7E
                                                                                                              • EnableWindow.USER32(?,00000000), ref: 0041EEA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$EnableEnabledVisible
                                                                                                              • String ID:
                                                                                                              • API String ID: 3234591441-0
                                                                                                              • Opcode ID: 908e1640c45beef437f125b63470cd7f97cb81b788dbbb5d15c196427eefded0
                                                                                                              • Instruction ID: 2c5c4f0331a1d41ebe9848165d0c8b98450d8d3461f9c723900bbadb0b89b381
                                                                                                              • Opcode Fuzzy Hash: 908e1640c45beef437f125b63470cd7f97cb81b788dbbb5d15c196427eefded0
                                                                                                              • Instruction Fuzzy Hash: 2DE0E5B81003006EE310AB2BEC81A57779CAB55354F55843BAC0997292D63ED8509ABD
                                                                                                              Function 00469FE0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetActiveWindow.USER32(?), ref: 0046A0F1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ActiveWindow
                                                                                                              • String ID: PrepareToInstall
                                                                                                              • API String ID: 2558294473-1101760603
                                                                                                              • Opcode ID: b7687f3bb43c73226d704110cc29f9815bff5a15c1e12b08bb6fc701f5c431d6
                                                                                                              • Instruction ID: 8b7f344ad1fa3e917ae8cfb2dbd3f87d9064e965c7569195748e39604a53e5b8
                                                                                                              • Opcode Fuzzy Hash: b7687f3bb43c73226d704110cc29f9815bff5a15c1e12b08bb6fc701f5c431d6
                                                                                                              • Instruction Fuzzy Hash: D2A11934A00109DFCB00EF99D986EDEB7F5AF49304F5540B6E804AB366D738AE45CB5A
                                                                                                              Function 0046C5BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: /:*?"<>|
                                                                                                              • API String ID: 0-4078764451
                                                                                                              • Opcode ID: 06161939b9b6972920a3f4778fa34d5926bec049205355badb073ad507413406
                                                                                                              • Instruction ID: 6f1ddb1d4c6bf41fe4e6ef022f3ca721468d6fb529cb74a3921b09cafe59df1d
                                                                                                              • Opcode Fuzzy Hash: 06161939b9b6972920a3f4778fa34d5926bec049205355badb073ad507413406
                                                                                                              • Instruction Fuzzy Hash: BB719270A44205ABEB20F765DCC2BEE77A19B41348F10C077F580BB292E779AD49875E
                                                                                                              Function 00482AAC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetActiveWindow.USER32(?), ref: 00482B5A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ActiveWindow
                                                                                                              • String ID: InitializeWizard
                                                                                                              • API String ID: 2558294473-2356795471
                                                                                                              • Opcode ID: 9aeb3d77867af7e6d972f6b1feb637164b3d788d95ca79b69b372c6f9b450635
                                                                                                              • Instruction ID: db7d1b329271c039a587c966101a95f378ab38c3ed45019f3272f41b6ba32bbe
                                                                                                              • Opcode Fuzzy Hash: 9aeb3d77867af7e6d972f6b1feb637164b3d788d95ca79b69b372c6f9b450635
                                                                                                              • Instruction Fuzzy Hash: 6D115E31A09200AFD715FF29ED86B1A7BE4E759328F60443BE404872A1DA79AC46DB1D
                                                                                                              Function 0047C978 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047CBC4,00000000,0047CDC6), ref: 0047C9BD
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C98D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                                              • API String ID: 47109696-1019749484
                                                                                                              • Opcode ID: bb5ba15996815916538d46b22a9810ae59d53e0406c30950a209d20cc8f6864c
                                                                                                              • Instruction ID: f187297608c4c2e120c43e334d4fef3d14aa164232434ebce48173692ca83dca
                                                                                                              • Opcode Fuzzy Hash: bb5ba15996815916538d46b22a9810ae59d53e0406c30950a209d20cc8f6864c
                                                                                                              • Instruction Fuzzy Hash: BAF089E170451467DA10A56A5C82BAE679D8B44758F20407FF608DB342D9B99D02435C
                                                                                                              Function 0046F0AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F72A,?,?,00000000,0046F8EE,?,_is1,?), ref: 0046F0BF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value
                                                                                                              • String ID: NoModify
                                                                                                              • API String ID: 3702945584-1699962838
                                                                                                              • Opcode ID: f62fff895c5cb5fcee211893b33144f563fc8351df9822a4020ec110b25f01ba
                                                                                                              • Instruction ID: ad59d6647e2c6f1a966119a9b7040c47703766c51ad9b847bf72baa1670be9f7
                                                                                                              • Opcode Fuzzy Hash: f62fff895c5cb5fcee211893b33144f563fc8351df9822a4020ec110b25f01ba
                                                                                                              • Instruction Fuzzy Hash: 48E04FB4644304BFEB04DB95DD4AF6BB7ECDB48710F10405ABA04DB381E674FE008658
                                                                                                              Function 0042DE2C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              Strings
                                                                                                              • System\CurrentControlSet\Control\Windows, xrefs: 0042DE46
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID: System\CurrentControlSet\Control\Windows
                                                                                                              • API String ID: 71445658-1109719901
                                                                                                              • Opcode ID: 0f77c8ce853619a5698b89c9811bea03ab3af1fee96e2778c5ec7c5c80741e7e
                                                                                                              • Instruction ID: abe9ee1dba80eab6c976627f4fe301d03bda2a195c3818943ffea28d54d696bb
                                                                                                              • Opcode Fuzzy Hash: 0f77c8ce853619a5698b89c9811bea03ab3af1fee96e2778c5ec7c5c80741e7e
                                                                                                              • Instruction Fuzzy Hash: E7D0C7729501287BD7009A89DC41DFB775DDB15760F41441BFD1897101C1B4EC5197F8
                                                                                                              Function 0047E8F8 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetACP.KERNEL32(?,?,00000001,00000000,0047EBD7,?,-0000001A,00480A90,-00000010,?,00000004,0000001C,00000000,00480DDD,?,0045DC10), ref: 0047E96E
                                                                                                                • Part of subcall function 0042E32C: GetDC.USER32(00000000), ref: 0042E33B
                                                                                                                • Part of subcall function 0042E32C: EnumFontsA.GDI32(?,00000000,0042E318,00000000,00000000,0042E384,?,00000000,00000000,?,?,00000001,00000000,00000002,00000000,004817AB), ref: 0042E366
                                                                                                                • Part of subcall function 0042E32C: ReleaseDC.USER32(00000000,?), ref: 0042E37E
                                                                                                              • SendNotifyMessageA.USER32(00010434,00000496,00002711,-00000001), ref: 0047EB3E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 2649214853-0
                                                                                                              • Opcode ID: 11d352caf6cf76a194d8beb9d25bd90a8a3644bbb7cae3402d6ea1b77134e9b7
                                                                                                              • Instruction ID: ea9abfd011146b73e97573b99a0886535bf82ee2c4f6ab80840a8034e1b56658
                                                                                                              • Opcode Fuzzy Hash: 11d352caf6cf76a194d8beb9d25bd90a8a3644bbb7cae3402d6ea1b77134e9b7
                                                                                                              • Instruction Fuzzy Hash: 5D51BA746001008BCB10FF26D98169B7BA9EB99309B90C67BA4099F367D73CED46C79D
                                                                                                              Function 0042DC10 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DC4C
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD48), ref: 0042DCBC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 3660427363-0
                                                                                                              • Opcode ID: 80665b2cde9ee57e522dd8711412eaf931e33ec8b5fc09fadae09ede8aa250e9
                                                                                                              • Instruction ID: 688ca5bec861f28c2d3c56c4d9756a3eee1da68b680b0c58c854c6ce0276e007
                                                                                                              • Opcode Fuzzy Hash: 80665b2cde9ee57e522dd8711412eaf931e33ec8b5fc09fadae09ede8aa250e9
                                                                                                              • Instruction Fuzzy Hash: BA414171E00529AFDB11DF95D881BAFB7B8BF40714F90846AE800F7241D778AE40CBA9
                                                                                                              Function 0042DED0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DF7C
                                                                                                              • RegCloseKey.ADVAPI32(?,0042DFED,?,00000000,00000000,00000000,00000000,00000000,0042DFE6,?,?,00000008,00000000,00000000,0042E013), ref: 0042DFE0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseEnum
                                                                                                              • String ID:
                                                                                                              • API String ID: 2818636725-0
                                                                                                              • Opcode ID: 1357df86ae473437fca1d40da49537d8538b09428ef48e508d84db5eaea4a0ad
                                                                                                              • Instruction ID: 7da1df7d23dc80ab26fde5356f239728af9ce1fcf96cfee1e9d17441f3ac576c
                                                                                                              • Opcode Fuzzy Hash: 1357df86ae473437fca1d40da49537d8538b09428ef48e508d84db5eaea4a0ad
                                                                                                              • Instruction Fuzzy Hash: E0317170F04258AEDB11DFA2DD82BAEB7B9EB44304F91447BE501E7291D6785E01CA2D
                                                                                                              Function 0045285C Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458320,00000000,00458308,?,?,?,00000000,004528D6,?,?,?,00000001), ref: 004528B0
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,?,?,00458320,00000000,00458308,?,?,?,00000000,004528D6,?,?,?,00000001), ref: 004528B8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 2919029540-0
                                                                                                              • Opcode ID: a1edda8d9d43bdf6393d164a5935c6c7d72f205fa9b275187b219f24b5744e4f
                                                                                                              • Instruction ID: f1ff12a52b9ae97e51c0fc8bedc9ee5f8128ff8695a74900dad41ba9f3169ab0
                                                                                                              • Opcode Fuzzy Hash: a1edda8d9d43bdf6393d164a5935c6c7d72f205fa9b275187b219f24b5744e4f
                                                                                                              • Instruction Fuzzy Hash: D1113C72604208BF8B40DEA9DD41D9F77ECEB4D310B114567FD08D3241D674AD148B68
                                                                                                              Function 0040ADE8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AE02
                                                                                                              • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF5F,00000000,0040AF77,?,?,?,00000000), ref: 0040AE13
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindFree
                                                                                                              • String ID:
                                                                                                              • API String ID: 4097029671-0
                                                                                                              • Opcode ID: c2324eb5359665644a5176f1cf96553f9563edd3f7959fa6b260dc2c350a5fba
                                                                                                              • Instruction ID: 0dcf9cb85912d996b0f29ff8386446a7da443b122bfb24013de7d2ae06ed8127
                                                                                                              • Opcode Fuzzy Hash: c2324eb5359665644a5176f1cf96553f9563edd3f7959fa6b260dc2c350a5fba
                                                                                                              • Instruction Fuzzy Hash: FB01F271300300AFDB00EFA9DC92E1A77EDEB49758B108077F500AB3D1DA39AC1096AA
                                                                                                              Function 0041EEB4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                                              • EnumThreadWindows.USER32(00000000,0041EE64,00000000), ref: 0041EF09
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Thread$CurrentEnumWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 2396873506-0
                                                                                                              • Opcode ID: 4f64f9abf12c4e0f4ed6bfdbad4522da757f8f173b64a0d5440e5a48dfcb49d5
                                                                                                              • Instruction ID: 5ea5535e16dbd3a66c9b103d663da150a627407ba9bd10677b5e32ddf65fd45d
                                                                                                              • Opcode Fuzzy Hash: 4f64f9abf12c4e0f4ed6bfdbad4522da757f8f173b64a0d5440e5a48dfcb49d5
                                                                                                              • Instruction Fuzzy Hash: E9016D75A04704BFD305CF6AEC1195ABBF9E749720B22C877EC04D3690E7385820DE9A
                                                                                                              Function 00452CF4 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00452D36
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00452D5C), ref: 00452D3E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLastMove
                                                                                                              • String ID:
                                                                                                              • API String ID: 55378915-0
                                                                                                              • Opcode ID: c4b48003847f0ed345a39601a16e4078adce9229b20c3b289e599ac23a84d65a
                                                                                                              • Instruction ID: 4fca69a62489ebc4a01fefb46b4f56da8e9c918d1d9d85a0206be36eb6df5136
                                                                                                              • Opcode Fuzzy Hash: c4b48003847f0ed345a39601a16e4078adce9229b20c3b289e599ac23a84d65a
                                                                                                              • Instruction Fuzzy Hash: 8501D671B04208BB8710EB7A9D4149EB7FCDB8A725760457BFC04E3642EAB85E088558
                                                                                                              Function 004527E4 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00452843), ref: 0045281D
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00452843), ref: 00452825
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 1375471231-0
                                                                                                              • Opcode ID: d7a4f75d95bed79c8c233f4972916068b26d19fe5efc33dcaccf69018b52dd06
                                                                                                              • Instruction ID: 740ef451bc259a1e9a82c9a6d4ec6f858251f5182fd79d8d66273d0612a28aea
                                                                                                              • Opcode Fuzzy Hash: d7a4f75d95bed79c8c233f4972916068b26d19fe5efc33dcaccf69018b52dd06
                                                                                                              • Instruction Fuzzy Hash: E2F02871A04704BBCB00EFF5AD0159EB3E8DB4A315B1046BBFC04E3242E6B94E048698
                                                                                                              Function 0042324C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00423259
                                                                                                              • LoadCursorA.USER32(00000000,00000000), ref: 00423283
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CursorLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 3238433803-0
                                                                                                              • Opcode ID: f50906273b4dd4b76e2408c8e955edc8cf5c14898db3d3c1ed1d0f377b452c19
                                                                                                              • Instruction ID: 8f8c17a0fbd4bdfe9a7359f041206873b2ad7c2d9544917d76f3b93295b1a640
                                                                                                              • Opcode Fuzzy Hash: f50906273b4dd4b76e2408c8e955edc8cf5c14898db3d3c1ed1d0f377b452c19
                                                                                                              • Instruction Fuzzy Hash: ABF0EC11704214EBDA109E7E6CC0E2A72A8DB91B36B7103BBFE3AD72D1C62E1D41427D
                                                                                                              Function 0042E3A4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00008000), ref: 0042E3AE
                                                                                                              • LoadLibraryA.KERNEL32(00000000,00000000,0042E3F8,?,00000000,0042E416,?,00008000), ref: 0042E3DD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLibraryLoadMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2987862817-0
                                                                                                              • Opcode ID: 137f501cafdb1006b6659fce1cce54e2e1c6912f987e7b2d870eccffde90aca3
                                                                                                              • Instruction ID: a9e68ab2b12e17ae16f3f6d0a0ea7eea8a26f05c835edb8546f20125b23269b3
                                                                                                              • Opcode Fuzzy Hash: 137f501cafdb1006b6659fce1cce54e2e1c6912f987e7b2d870eccffde90aca3
                                                                                                              • Instruction Fuzzy Hash: 47F08270B14744BFDB119F779C6282BBBECE749B1179248B6F810E3691E67D48108928
                                                                                                              Function 0047CD0F Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHGetKnownFolderPath.SHELL32(0049AD40,00008000,00000000,?), ref: 0047CD1F
                                                                                                              • CoTaskMemFree.OLE32(?,0047CD62), ref: 0047CD55
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FolderFreeKnownPathTask
                                                                                                              • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                              • API String ID: 969438705-544719455
                                                                                                              • Opcode ID: 9e7160287d512f4d5a0f43fb802c4f91855d32992ec2e49df479a39f9ab0f4c4
                                                                                                              • Instruction ID: 7f5f99bd267ec43f1d9e9eb65a142f78238518b51070f33a36bda7c886c43a5d
                                                                                                              • Opcode Fuzzy Hash: 9e7160287d512f4d5a0f43fb802c4f91855d32992ec2e49df479a39f9ab0f4c4
                                                                                                              • Instruction Fuzzy Hash: A8E06D31700600BEEB21DA619D92F697BA8EB48F04B61847AF504A2680D67CA900D61C
                                                                                                              Function 0045096C Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470341,?,00000000), ref: 00450982
                                                                                                              • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470341,?,00000000), ref: 0045098A
                                                                                                                • Part of subcall function 00450728: GetLastError.KERNEL32(00450544,004507EA,?,00000000,?,00498504,00000001,00000000,00000002,00000000,00498665,?,?,00000005,00000000,00498699), ref: 0045072B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$FilePointer
                                                                                                              • String ID:
                                                                                                              • API String ID: 1156039329-0
                                                                                                              • Opcode ID: 100ca62c34f2286d257a35485dd07fe068b79b72f0d05f198151f02be955c629
                                                                                                              • Instruction ID: 93da46c6f1b31e6960e6eabd2e871c03f6a9f1a2e882d04747869ab33c8136e3
                                                                                                              • Opcode Fuzzy Hash: 100ca62c34f2286d257a35485dd07fe068b79b72f0d05f198151f02be955c629
                                                                                                              • Instruction Fuzzy Hash: 22E012B9305201ABF740EA7599C1F2F23DCDB48355F00986AB944CA18BD674DC054B66
                                                                                                              Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual$AllocFree
                                                                                                              • String ID:
                                                                                                              • API String ID: 2087232378-0
                                                                                                              • Opcode ID: 7d9236a51a6e62d759a8b4f250f4c89c76a4556442c2f53cae6702f33709ebd9
                                                                                                              • Instruction ID: 72296c24d993e0564b30de85c6f195fe79285825457dd4606d191d555c4bfbf2
                                                                                                              • Opcode Fuzzy Hash: 7d9236a51a6e62d759a8b4f250f4c89c76a4556442c2f53cae6702f33709ebd9
                                                                                                              • Instruction Fuzzy Hash: D1F08272B0063067EB605A6A4C81B6359849BC5794F254076FD09FF3E9D6B58C0142A9
                                                                                                              Function 004085EC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,00408722), ref: 0040860B
                                                                                                                • Part of subcall function 00406DFC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E19
                                                                                                                • Part of subcall function 00408578: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049C4C0,00000001,?,00408643,?,00000000,00408722), ref: 00408596
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 1658689577-0
                                                                                                              • Opcode ID: 5823267eaa6e0e7ee692efbee1c67039304ac956db3a02cff78b9572607a147c
                                                                                                              • Instruction ID: 87d691d9fb5281b9ea88bf14f35752b700db14023ee960ec0a49684e6ef053d8
                                                                                                              • Opcode Fuzzy Hash: 5823267eaa6e0e7ee692efbee1c67039304ac956db3a02cff78b9572607a147c
                                                                                                              • Instruction Fuzzy Hash: AF316135E00109ABCB00DF55C8C19EEB779FF84314F51857BE815BB296EB38AE018B98
                                                                                                              Function 0041FBAC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoScroll
                                                                                                              • String ID:
                                                                                                              • API String ID: 629608716-0
                                                                                                              • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                              • Instruction ID: de9d69d4b93587d9dbc4e1ffcd6d3196287cd482c57983938f35f532835c4bfd
                                                                                                              • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                              • Instruction Fuzzy Hash: 59213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6
                                                                                                              Function 0046C550 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                                                • Part of subcall function 0041EEB4: EnumThreadWindows.USER32(00000000,0041EE64,00000000), ref: 0041EF09
                                                                                                              • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C5AE,?,00000000,?,?,0046C7C0,?,00000000,0046C834), ref: 0046C592
                                                                                                                • Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
                                                                                                                • Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3319771486-0
                                                                                                              • Opcode ID: cb068eb5dc710ff6006224cfa849e4d5ce5cc64b4f431f923f3b0af9e5388d0c
                                                                                                              • Instruction ID: d90c9d50ec1a4df7de9101e34a36142223e0e09c2726da2ffd76a0a6e3d4faee
                                                                                                              • Opcode Fuzzy Hash: cb068eb5dc710ff6006224cfa849e4d5ce5cc64b4f431f923f3b0af9e5388d0c
                                                                                                              • Instruction Fuzzy Hash: 3CF0B471608300BFE7059B62EC56B257BA8D708714F91047BF40586290E5BD6844C55E
                                                                                                              Function 00441408 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3934441357-0
                                                                                                              • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                              • Instruction ID: 093968fef036cde5cefa550fbb81a5587008482849b5a1bc4febea26ac521eef
                                                                                                              • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                              • Instruction Fuzzy Hash: 2AF09030105109DFAF0CCF58D0669AF77A5EB48314B20807FEA0B877A0C634AE80D759
                                                                                                              Function 00416560 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 716092398-0
                                                                                                              • Opcode ID: 5ff731208ea2669c00132db587fc5b09c37a3f2098bcfa82a293bed1c7b74572
                                                                                                              • Instruction ID: bf23e32d75ed6c1bba1609a99bdb6fc4fe5539f7daeb337dc53a21feff163cdc
                                                                                                              • Opcode Fuzzy Hash: 5ff731208ea2669c00132db587fc5b09c37a3f2098bcfa82a293bed1c7b74572
                                                                                                              • Instruction Fuzzy Hash: 22F019B2200510AFDB84CEDCD8C0F9373ECEB0C250B0481A6BA08CB21AD220EC108BB0
                                                                                                              Function 004149C4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallbackDispatcherUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2492992576-0
                                                                                                              • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                              • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                                              • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                              • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                                              Function 00450838 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450878
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 2ea57b0a21c6fb2b19939c4352c8c2c80e59da93529ff7c1221b42647be5b244
                                                                                                              • Instruction ID: ad17be180c76723165afa97522f1f8cb50e5cc3c1ac5aed9be9dbb48c14aba74
                                                                                                              • Opcode Fuzzy Hash: 2ea57b0a21c6fb2b19939c4352c8c2c80e59da93529ff7c1221b42647be5b244
                                                                                                              • Instruction Fuzzy Hash: D9E0EDB53441583ED6809AAC6C42F9677DC971A724F018433B998D7241D4619D258BE9
                                                                                                              Function 0042CCDC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD24,?,00000001,?,?,00000000,?,0042CD76,00000000,00452A99,00000000,00452ABA,?,00000000), ref: 0042CD07
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: 9c61d9913643e7fc8a87719d436576f713db19c75eb1cc22161a8dfdf450bb3f
                                                                                                              • Instruction ID: e42bb19430493de12fff977eb98fa38a093f16e856f4d8eabd15c7f5a46843e5
                                                                                                              • Opcode Fuzzy Hash: 9c61d9913643e7fc8a87719d436576f713db19c75eb1cc22161a8dfdf450bb3f
                                                                                                              • Instruction Fuzzy Hash: 7DE06571314308BBD701EB62EC92A5EBAECD749714B914476B400D7592D5B86E008468
                                                                                                              Function 0042E8D8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004532E7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FormatMessage
                                                                                                              • String ID:
                                                                                                              • API String ID: 1306739567-0
                                                                                                              • Opcode ID: 7e342571288affc5bafe57b4e7aa38107ccfa77ae99db5e17a7a6f0d9f50f535
                                                                                                              • Instruction ID: 7522df6bb5b7b377145cdc83deeae8a000ac75e555bea28060da8a54cd92ba64
                                                                                                              • Opcode Fuzzy Hash: 7e342571288affc5bafe57b4e7aa38107ccfa77ae99db5e17a7a6f0d9f50f535
                                                                                                              • Instruction Fuzzy Hash: F6E0D86178432126F23524166C43B7B110E43C0704FD440267A809F3D2D6EE9946425E
                                                                                                              Function 004062F8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406321
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 716092398-0
                                                                                                              • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                              • Instruction ID: 1e3b386673cc32b76f3712ab4659b14af7d7742474b1f2ca80afcc4f691b27f6
                                                                                                              • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                              • Instruction Fuzzy Hash: 26E002B221430DBFDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972528675AC608B71
                                                                                                              Function 0042DDF4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 04d8f955b4ea1680ce84362706bb61212f931f51abc1de06f6e1381d22c6f23e
                                                                                                              • Instruction ID: a58665afa9aaed36f31adbd0eb633891456326e8230674c5ed5073cd96bdc880
                                                                                                              • Opcode Fuzzy Hash: 04d8f955b4ea1680ce84362706bb61212f931f51abc1de06f6e1381d22c6f23e
                                                                                                              • Instruction Fuzzy Hash: DDE07EB6600119AF9B40DE8CDC81EEB37ADAB5D350F454016FA08EB200C2B8EC519BA4
                                                                                                              Function 00454C6C Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindClose.KERNEL32(00000000,000000FF,00470B64,00000000,0047197A,?,00000000,004719C5,?,00000000,00471AFE,?,00000000,?,00000000), ref: 00454C82
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseFind
                                                                                                              • String ID:
                                                                                                              • API String ID: 1863332320-0
                                                                                                              • Opcode ID: 7eca246021524149fec22f5b43aaa658f949ce3293e179ae35ef6e6ce88d0451
                                                                                                              • Instruction ID: ed6c632c5edb2c773ab29dc4195d65b8984e4b681e68d3fe1efecde2d4089f6a
                                                                                                              • Opcode Fuzzy Hash: 7eca246021524149fec22f5b43aaa658f949ce3293e179ae35ef6e6ce88d0451
                                                                                                              • Instruction Fuzzy Hash: 3AE09B705056004BCB15DF3A858131A76D15FC5324F05C96AAC5CCF3D7D63C84554717
                                                                                                              Function 0041468C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • KiUserCallbackDispatcher.NTDLL(004960BE,?,004960E0,?,?,00000000,004960BE,?,?), ref: 004146AB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallbackDispatcherUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2492992576-0
                                                                                                              • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                              • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                                              • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                              • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                                              Function 00406F20 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F34
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3934441357-0
                                                                                                              • Opcode ID: 3762a51e43609c3b4bae8470f6c1dc5ae0f0561e9ae868b0f3c10d30521955a8
                                                                                                              • Instruction ID: f35b24215c0fdc632c147a12649f74ed31c2b31f11cb39250bbd2ff5eed7ffe6
                                                                                                              • Opcode Fuzzy Hash: 3762a51e43609c3b4bae8470f6c1dc5ae0f0561e9ae868b0f3c10d30521955a8
                                                                                                              • Instruction Fuzzy Hash: 5CD012723081506AD220A65A6C44EAB6ADCCBC5770F11063AB558D2181D6209C018675
                                                                                                              Function 0042365C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D
                                                                                                              • ShowWindow.USER32(00410470,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                                                • Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoParametersSystem$ShowWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3202724764-0
                                                                                                              • Opcode ID: 8bec8c91e4db80f916d04adf4cce8d640474384e6a809fab131d495f4cf7285d
                                                                                                              • Instruction ID: 62f98a927e5d18dfd067733e82cc858d6425e225367395d1bb64f11078388387
                                                                                                              • Opcode Fuzzy Hash: 8bec8c91e4db80f916d04adf4cce8d640474384e6a809fab131d495f4cf7285d
                                                                                                              • Instruction Fuzzy Hash: 03D05E123831B03146307BB728059CB86AC8DD66AB389047BB5409B303E91D8A0A51AC
                                                                                                              Function 004242D4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: TextWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 530164218-0
                                                                                                              • Opcode ID: 7b629e4230a16754486ed56ae920d883ae8ae6fbac6fb4db25cd6a5c7ea909d6
                                                                                                              • Instruction ID: 45ecccad5147b2ee88577654b541c8e67cd655c44182ff5547076257999a9e8e
                                                                                                              • Opcode Fuzzy Hash: 7b629e4230a16754486ed56ae920d883ae8ae6fbac6fb4db25cd6a5c7ea909d6
                                                                                                              • Instruction Fuzzy Hash: 82D05BE270116017CB01BAED54C4AC657CC5B4925A71540B7F904EF257C678CD448398
                                                                                                              Function 00466BE8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,004678D0,00000000,00000000,00000000,0000000C,00000000), ref: 00466C00
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallbackDispatcherUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2492992576-0
                                                                                                              • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                              • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                                              • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                              • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                                              Function 0042CD34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0045163F,00000000), ref: 0042CD3F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: bfa7c436ea4076489e3194c110aeffa5b63c2464b47e17bafb8d8bd18f179746
                                                                                                              • Instruction ID: fe1bff9429d4e90dee18816d853216f65d631ba0a2a06ffe7669bbedc21dff1a
                                                                                                              • Opcode Fuzzy Hash: bfa7c436ea4076489e3194c110aeffa5b63c2464b47e17bafb8d8bd18f179746
                                                                                                              • Instruction Fuzzy Hash: 6FC08CE0322210169E20A6BD6CC951F06CC895837A3A40A77B03CEA2E2D23DD8162028
                                                                                                              Function 00406ED0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6E4,0040CC90,?,00000000,?), ref: 00406EED
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: e8949a66e9203a36065e9c5356ac0ded8f2f701daa6576000ff81ed1d8cf48c0
                                                                                                              • Instruction ID: a78e408fffc15bc8d0ee8a54c686fbaa4e2694f5c3f88f37cecd524e454749ad
                                                                                                              • Opcode Fuzzy Hash: e8949a66e9203a36065e9c5356ac0ded8f2f701daa6576000ff81ed1d8cf48c0
                                                                                                              • Instruction Fuzzy Hash: ADC048B13C130032F93025A61C87F1604889714B1AE60943AB740BE1C2D8E9A818016C
                                                                                                              Function 004509A0 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetEndOfFile.KERNEL32(?,?,0045C3EA,00000000,0045C575,?,00000000,00000002,00000002), ref: 004509A7
                                                                                                                • Part of subcall function 00450728: GetLastError.KERNEL32(00450544,004507EA,?,00000000,?,00498504,00000001,00000000,00000002,00000000,00498665,?,?,00000005,00000000,00498699), ref: 0045072B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFileLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 734332943-0
                                                                                                              • Opcode ID: ab92c804e13779e6a8a378971558b34dc584b681704b9a97c4630cfb3c940cd1
                                                                                                              • Instruction ID: 0486764e065467a501855473afd0cd0cb10eaee8d6f94b4102cded937092f4df
                                                                                                              • Opcode Fuzzy Hash: ab92c804e13779e6a8a378971558b34dc584b681704b9a97c4630cfb3c940cd1
                                                                                                              • Instruction Fuzzy Hash: 0DC04CA9301201879F40A6AE85C190663DC9E1C3597504566B904CF20BD769DC044A14
                                                                                                              Function 004072B8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetCurrentDirectoryA.KERNEL32(00000000,?,00498492,00000000,00498665,?,?,00000005,00000000,00498699,?,?,00000000), ref: 004072C3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CurrentDirectory
                                                                                                              • String ID:
                                                                                                              • API String ID: 1611563598-0
                                                                                                              • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                              • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                                              • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                              • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                                              Function 0042E3FF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(?,0042E41D), ref: 0042E410
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2340568224-0
                                                                                                              • Opcode ID: 28683c4ccedd275f6fd375c63a674eaf7d5950f07f4fd36cc82310e7f5762073
                                                                                                              • Instruction ID: 55140b1eedf56d48a55774d01a07de49d55d18186a895614534630d02c3c9fff
                                                                                                              • Opcode Fuzzy Hash: 28683c4ccedd275f6fd375c63a674eaf7d5950f07f4fd36cc82310e7f5762073
                                                                                                              • Instruction Fuzzy Hash: D4B09B7671C6105DFB05D695745152D63D4D7C57203E14577F010D7580D53D58004D18
                                                                                                              Function 004165FC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DestroyWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3375834691-0
                                                                                                              • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                              • Instruction ID: 951f12253bcdbe2be33f1d7372765b1b3ebb510443260a24e1bbd496af9ec3c9
                                                                                                              • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                              • Instruction Fuzzy Hash: AFA002755015409ADB10E7A5C84DF7A2298BF44204FD905FA714CA7052C53CD9008A55
                                                                                                              Function 0044879C Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 54e6278b00533fbd37ee9a008ccbf002b6a3644c608c9d01cb394214cb5b0466
                                                                                                              • Instruction ID: 339ef80cccba5c7eac5873b70fc8c7721134c1cb18e48c6be9d277410f7c1673
                                                                                                              • Opcode Fuzzy Hash: 54e6278b00533fbd37ee9a008ccbf002b6a3644c608c9d01cb394214cb5b0466
                                                                                                              • Instruction Fuzzy Hash: 91518474E042499FEB01EFA9C882AAEBBF5EB49304F50407AE500A7351DB389D41CB99
                                                                                                              Function 0047E21C Relevance: 1.4, APIs: 1, Instructions: 157COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047E407,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047E3C1
                                                                                                                • Part of subcall function 0042CA10: GetSystemMetrics.USER32(0000002A), ref: 0042CA22
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMetricsMultiSystemWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 224039744-0
                                                                                                              • Opcode ID: 5d71ed7f78605e465d4fedccc20939528007dd55206323f19120b13c5f88598b
                                                                                                              • Instruction ID: f91779ff8fcf2a57f01fce6343996b16dddddfd0a70f262f58e8d3032392e39f
                                                                                                              • Opcode Fuzzy Hash: 5d71ed7f78605e465d4fedccc20939528007dd55206323f19120b13c5f88598b
                                                                                                              • Instruction Fuzzy Hash: BC518870A00205AFD720DF9AD885B9A7BB8EB1C309F1181B7E804E73A1D7789D45CB59
                                                                                                              Function 0041F3D4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 2501c7b5f1b7e2a32cc088a261609a538437b101066d50b70fa7879060b37a7f
                                                                                                              • Instruction ID: df12e3cc7205ed3866b0622d7fc8c89f1b444ce5416b62958542d3ca819b8d78
                                                                                                              • Opcode Fuzzy Hash: 2501c7b5f1b7e2a32cc088a261609a538437b101066d50b70fa7879060b37a7f
                                                                                                              • Instruction Fuzzy Hash: 5A1148742007069BCB10DF19C880B82FBE4EB98390B10D53BE9588B385D378E8558BA9
                                                                                                              Function 00453038 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,004530A1), ref: 00453083
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 1452528299-0
                                                                                                              • Opcode ID: 3dbc9b6b19259a40e1a8eccd310b33d8d478e911805451e546832dad24d45a24
                                                                                                              • Instruction ID: 94e22d98a6c00f19aef873439ff0cfb4dcf68a684d4d060e49f788bb75b395da
                                                                                                              • Opcode Fuzzy Hash: 3dbc9b6b19259a40e1a8eccd310b33d8d478e911805451e546832dad24d45a24
                                                                                                              • Instruction Fuzzy Hash: 0701FC35604304AF8711DF69AC118EEBBE8DB8A76175042B7FC64D3382D6744E059764
                                                                                                              Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00001ACC,00005ACF,00401973), ref: 00401766
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 1263568516-0
                                                                                                              • Opcode ID: c2ec33a786a38e7bd0169ef8bddb7cde116ed653613200da8896670bb901eae8
                                                                                                              • Instruction ID: be7f0be69d4b25e877c81db3c68dd302dbc4ff1700a0c49f545652be0e594e9c
                                                                                                              • Opcode Fuzzy Hash: c2ec33a786a38e7bd0169ef8bddb7cde116ed653613200da8896670bb901eae8
                                                                                                              • Instruction Fuzzy Hash: 1401FC766442148FC3109F29DCC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                                              Function 00401340 Relevance: 1.3, APIs: 1, Instructions: 34memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LocalAlloc.KERNEL32(00000000,00000644,?,0049C450,004013A3,?,?,00401443,?,?,?,00001ACC,00005ACF,00401983), ref: 00401353
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocLocal
                                                                                                              • String ID:
                                                                                                              • API String ID: 3494564517-0
                                                                                                              • Opcode ID: aca4d3d7ff4968b90215f13619ba70cef3d09ec9501acc259b14cf34408ebbe3
                                                                                                              • Instruction ID: 0848adde502159ad1fd96a8234a1f6bbb828a68afa7971909c010f8acedd3e76
                                                                                                              • Opcode Fuzzy Hash: aca4d3d7ff4968b90215f13619ba70cef3d09ec9501acc259b14cf34408ebbe3
                                                                                                              • Instruction Fuzzy Hash: C0F058B17012018FEB24CF29D8D0A66B7E1EBA9366F20807FE9C5D77A0D3358C418B94
                                                                                                              Function 00406F58 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 2962429428-0
                                                                                                              • Opcode ID: 6d5f4615d296fbbc3d990cf813c80aa0ea5a8011e2983691863e8f068271b578
                                                                                                              • Instruction ID: 6160d783662a008e1f799edb03f3d460fe671c60c73369e1be62f9e55b6485aa
                                                                                                              • Opcode Fuzzy Hash: 6d5f4615d296fbbc3d990cf813c80aa0ea5a8011e2983691863e8f068271b578
                                                                                                              • Instruction Fuzzy Hash:

                                                                                                              Non-executed Functions

                                                                                                              Function 0041F128 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                                                              • SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                                                              • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                                                              • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                                                              • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                                                              • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                                                              • FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                                              • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                                              • API String ID: 2323315520-3614243559
                                                                                                              • Opcode ID: 1c05c7c472d8affb961338489b1b8cdfb1d976d7746f6af82c634f521e0a70e8
                                                                                                              • Instruction ID: cc035a32af1c864732f55fa5d96a8ee37849f8948b3bb020ccbabec4f333c5ef
                                                                                                              • Opcode Fuzzy Hash: 1c05c7c472d8affb961338489b1b8cdfb1d976d7746f6af82c634f521e0a70e8
                                                                                                              • Instruction Fuzzy Hash: 953142B1740600BBD701EBB5EC86A7A3394F768724B45093BB444EB192D77C4CA98F5D
                                                                                                              Function 00458670 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTickCount.KERNEL32 ref: 004586D7
                                                                                                              • QueryPerformanceCounter.KERNEL32(02323858,00000000,0045896A,?,?,02323858,00000000,?,00459066,?,02323858,00000000), ref: 004586E0
                                                                                                              • GetSystemTimeAsFileTime.KERNEL32(02323858,02323858), ref: 004586EA
                                                                                                              • GetCurrentProcessId.KERNEL32(?,02323858,00000000,0045896A,?,?,02323858,00000000,?,00459066,?,02323858,00000000), ref: 004586F3
                                                                                                              • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458769
                                                                                                              • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02323858,02323858), ref: 00458777
                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,0049AB24,00000003,00000000,00000000,00000000,00458926), ref: 004587BF
                                                                                                              • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00458915,?,00000000,C0000000,00000000,0049AB24,00000003,00000000,00000000,00000000,00458926), ref: 004587F8
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004588A1
                                                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 004588D7
                                                                                                              • CloseHandle.KERNEL32(000000FF,0045891C,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0045890F
                                                                                                                • Part of subcall function 00453510: GetLastError.KERNEL32(00000000,004540A5,00000005,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D,00000000), ref: 00453513
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                                              • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                                              • API String ID: 770386003-3271284199
                                                                                                              • Opcode ID: a14ed359ed0144b1afd013f03df4b8901354c39244f26f88fdd5245df950650b
                                                                                                              • Instruction ID: dce1d9d3a47b8e631bda5ef5291cfb12a825263051becb9b2fd33ba3793b7428
                                                                                                              • Opcode Fuzzy Hash: a14ed359ed0144b1afd013f03df4b8901354c39244f26f88fdd5245df950650b
                                                                                                              • Instruction Fuzzy Hash: 2F710470A00248AEDB10DF65CC45B9E77F4EB05709F1044AAF944FB282DB785944CF6A
                                                                                                              Function 00478940 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004787AC: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02322C1C,?,?,?,02322C1C,00478970,00000000,00478A8E,?,?,?,?), ref: 004787C5
                                                                                                                • Part of subcall function 004787AC: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004787CB
                                                                                                                • Part of subcall function 004787AC: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02322C1C,?,?,?,02322C1C,00478970,00000000,00478A8E,?,?,?,?), ref: 004787DE
                                                                                                                • Part of subcall function 004787AC: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02322C1C,?,?,?,02322C1C), ref: 00478808
                                                                                                                • Part of subcall function 004787AC: CloseHandle.KERNEL32(00000000,?,?,?,02322C1C,00478970,00000000,00478A8E,?,?,?,?), ref: 00478826
                                                                                                                • Part of subcall function 00478884: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00478916,?,?,?,02322C1C,?,00478978,00000000,00478A8E,?,?,?,?), ref: 004788B4
                                                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 004789C8
                                                                                                              • GetLastError.KERNEL32(00000000,00478A8E,?,?,?,?), ref: 004789D1
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00478A1E
                                                                                                              • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478A42
                                                                                                              • CloseHandle.KERNEL32(00000000,00478A73,00000000,00000000,000000FF,000000FF,00000000,00478A6C,?,00000000,00478A8E,?,?,?,?), ref: 00478A66
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                                              • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                                              • API String ID: 883996979-221126205
                                                                                                              • Opcode ID: b28b376a2be0868b0724ee08b6bb697a07dc67947066f4536c6a368308ef9766
                                                                                                              • Instruction ID: 790ad9f0fbfe83bf1512199edb7142052ce1d465f1a82f053b14324264bcdb90
                                                                                                              • Opcode Fuzzy Hash: b28b376a2be0868b0724ee08b6bb697a07dc67947066f4536c6a368308ef9766
                                                                                                              • Instruction Fuzzy Hash: 0C3124B0A40209AEDB10EFA6C845ADEB7A8EB04318F50853FF518E7282DF7C59458B1D
                                                                                                              Function 0042286C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
                                                                                                              • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSendShowWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 1631623395-0
                                                                                                              • Opcode ID: ad20764d00b4e1bce030a3e3c27d486f6ceec107be95deacbd1ab04939794df1
                                                                                                              • Instruction ID: 28b3b238c6a175230bfdc04dc608b83412cf05ad4dc18caa3e002023b447773b
                                                                                                              • Opcode Fuzzy Hash: ad20764d00b4e1bce030a3e3c27d486f6ceec107be95deacbd1ab04939794df1
                                                                                                              • Instruction Fuzzy Hash: 5D915171B04214BFDB11EFA9DA86F9D77F4AB04314F5500B6F504AB3A2CB78AE409B58
                                                                                                              Function 00418394 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 004183A3
                                                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
                                                                                                              • GetWindowRect.USER32(?), ref: 004183DC
                                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 004183EA
                                                                                                              • GetWindowLongA.USER32(?,000000F8), ref: 004183FF
                                                                                                              • ScreenToClient.USER32(00000000), ref: 00418408
                                                                                                              • ScreenToClient.USER32(00000000,?), ref: 00418413
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                              • String ID: ,
                                                                                                              • API String ID: 2266315723-3772416878
                                                                                                              • Opcode ID: e1e10888711d407f8fe90eb8876dbc7d811cb5afcf9edaa6a068330facd90bcc
                                                                                                              • Instruction ID: 83451382f6561a1cdaf4068601f89ac1c3a417dc2c2f98083d52f4ec56b04d21
                                                                                                              • Opcode Fuzzy Hash: e1e10888711d407f8fe90eb8876dbc7d811cb5afcf9edaa6a068330facd90bcc
                                                                                                              • Instruction Fuzzy Hash: 10112871505201ABDB00EF69C885F9B77E8AF48314F180A7EBD58DB286D738D900CB6A
                                                                                                              Function 0042F2F0 Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 0042F318
                                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0042F32C
                                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0042F343
                                                                                                              • GetActiveWindow.USER32 ref: 0042F34C
                                                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F379
                                                                                                              • SetActiveWindow.USER32(?,0042F4A9,00000000,?), ref: 0042F39A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveLong$IconicMessage
                                                                                                              • String ID:
                                                                                                              • API String ID: 1633107849-0
                                                                                                              • Opcode ID: e8f6b6a421ea1d3179e4c98d77dd5a9a956952bb32a08c7b31a1e4991f2154d2
                                                                                                              • Instruction ID: 64d3bd35cbe97a20ddf06b1c5bb431ac215ab6611dc304e3324dca4d9728f060
                                                                                                              • Opcode Fuzzy Hash: e8f6b6a421ea1d3179e4c98d77dd5a9a956952bb32a08c7b31a1e4991f2154d2
                                                                                                              • Instruction Fuzzy Hash: 0E319C71A00254AFDB01EFB6DC52D6FBBB8EB0D714B9144BAB800E7291D6389D10CB68
                                                                                                              Function 0045568C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 0045569B
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004556A1
                                                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004556BA
                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004556E1
                                                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004556E6
                                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004556F7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                              • String ID: SeShutdownPrivilege
                                                                                                              • API String ID: 107509674-3733053543
                                                                                                              • Opcode ID: 6f0918c0c13bc2f4d4c54a185237749107d323edec97579a5aa57cfa3c3a92f6
                                                                                                              • Instruction ID: c3cc1ea1cd3915d7a33d422d8d95032da4a52c1e989dd5dcf2427ab637b102ec
                                                                                                              • Opcode Fuzzy Hash: 6f0918c0c13bc2f4d4c54a185237749107d323edec97579a5aa57cfa3c3a92f6
                                                                                                              • Instruction Fuzzy Hash: F8F06870694B42B9E610A6B1CC17F3B21C89B44749F50482AFD05EA1D3D7FCD9084A7E
                                                                                                              Function 0045D230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D239
                                                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D249
                                                                                                              • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D259
                                                                                                              • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047FDF3,00000000,0047FE1C), ref: 0045D27E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$CryptVersion
                                                                                                              • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                                              • API String ID: 1951258720-508647305
                                                                                                              • Opcode ID: e7d405a4ff4eebbc0640f86d2c220ba04bd3b21cd5ce18d39a7322497cc2147d
                                                                                                              • Instruction ID: 61c9e43cd1f728e0e46d113f0b501511b53ff9056e95746757012e10b94b60ba
                                                                                                              • Opcode Fuzzy Hash: e7d405a4ff4eebbc0640f86d2c220ba04bd3b21cd5ce18d39a7322497cc2147d
                                                                                                              • Instruction Fuzzy Hash: 9EF01DF1D01700DAD314DF76AD457263796EBA831AF08807BB800D61A2D779884ADE1C
                                                                                                              Function 0049877C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,004988BA,?,?,00000000,0049C628,?,00498A44,00000000,00498A98,?,?,00000000,0049C628), ref: 004987D3
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00498856
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00498892,?,00000000,?,00000000,004988BA,?,?,00000000,0049C628,?,00498A44,00000000), ref: 0049886E
                                                                                                              • FindClose.KERNEL32(000000FF,00498899,00498892,?,00000000,?,00000000,004988BA,?,?,00000000,0049C628,?,00498A44,00000000,00498A98), ref: 0049888C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$AttributesCloseFirstNext
                                                                                                              • String ID: isRS-$isRS-???.tmp
                                                                                                              • API String ID: 134685335-3422211394
                                                                                                              • Opcode ID: 28bd132b98551c6f559692ecd16c2fe17ea53da37e74bec03c2fb1535a725515
                                                                                                              • Instruction ID: 01fac1220d05b00ddf84770a6e44258796d533cd1c1ae58874983c532305936c
                                                                                                              • Opcode Fuzzy Hash: 28bd132b98551c6f559692ecd16c2fe17ea53da37e74bec03c2fb1535a725515
                                                                                                              • Instruction Fuzzy Hash: 6631587190161C6FDF10EF66CC41ADEBBBCDB46314F5184FBA808A32A1DB389E458E64
                                                                                                              Function 0045763C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004576B9
                                                                                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004576E0
                                                                                                              • SetForegroundWindow.USER32(?), ref: 004576F1
                                                                                                              • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004579C9,?,00000000,00457A05), ref: 004579B4
                                                                                                              Strings
                                                                                                              • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00457834
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                                              • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                                              • API String ID: 2236967946-3182603685
                                                                                                              • Opcode ID: 77aeb0a8c7fef545e84f15dd7e0a3ea2404ede663b2c5dd9e5d361db2ccce855
                                                                                                              • Instruction ID: bbeea18b3a5a77650d3de781f5d15eeacb1b42f9300217bc3a931905813ce4bc
                                                                                                              • Opcode Fuzzy Hash: 77aeb0a8c7fef545e84f15dd7e0a3ea2404ede663b2c5dd9e5d361db2ccce855
                                                                                                              • Instruction Fuzzy Hash: 64910174608204EFEB15CF65E951F5ABBF5FB4D304F2180BAE80497392C638AE05CB68
                                                                                                              Function 00455EB4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455FF3), ref: 00455EE4
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455EEA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                              • API String ID: 1646373207-3712701948
                                                                                                              • Opcode ID: 6a98d8be3cefb5d1321440a09b2e8a7ab4abd71e514de144cb28141e7088ffe0
                                                                                                              • Instruction ID: c7998eed729051dc06c2a4bfb378ba8793a5d3ea0401748e56fe411d955f0a7d
                                                                                                              • Opcode Fuzzy Hash: 6a98d8be3cefb5d1321440a09b2e8a7ab4abd71e514de144cb28141e7088ffe0
                                                                                                              • Instruction Fuzzy Hash: 6C417471A04659AFCF01EFA5C8929EEB7B8EF48305F504567F800F7292D67C5E098B68
                                                                                                              Function 00417CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 00417D1F
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Placement$Iconic
                                                                                                              • String ID: ,
                                                                                                              • API String ID: 568898626-3772416878
                                                                                                              • Opcode ID: 3b7cc9104e2877f08458343a95692454dc034f6994d69eb5de7ebf140b23916c
                                                                                                              • Instruction ID: 8a2405f126271a8a3f3b67151c5e9cb2aa668bd176c3c9f3f75a3d087e0924cd
                                                                                                              • Opcode Fuzzy Hash: 3b7cc9104e2877f08458343a95692454dc034f6994d69eb5de7ebf140b23916c
                                                                                                              • Instruction Fuzzy Hash: 90213171604208ABCF00EF69E8C0EEA77B8AF48314F05456AFD18DF346C678DD848B68
                                                                                                              Function 00464200 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00000001,00000000,004643E7), ref: 00464275
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,004643B2,?,00000001,00000000,004643E7), ref: 004642BB
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00464394,?,00000000,?,00000000,004643B2,?,00000001,00000000,004643E7), ref: 00464370
                                                                                                              • FindClose.KERNEL32(000000FF,0046439B,00464394,?,00000000,?,00000000,004643B2,?,00000001,00000000,004643E7), ref: 0046438E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 4011626565-0
                                                                                                              • Opcode ID: 563cab9de8366674f843763c9e948430dcca3f01ced9fbc8485ee9e1ee4fa311
                                                                                                              • Instruction ID: c8116a204d28aaa02fd5c370c7a31de16c8845058ecf0009f09d6eac0a25a6e0
                                                                                                              • Opcode Fuzzy Hash: 563cab9de8366674f843763c9e948430dcca3f01ced9fbc8485ee9e1ee4fa311
                                                                                                              • Instruction Fuzzy Hash: 9B415235B00A18DBCB10EF65DC95ADEB7B8EB88305F5045AAF804E7351E7389E848E59
                                                                                                              Function 00463D84 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00000001,00000000,00463F41), ref: 00463DB5
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,00463F14,?,00000001,00000000,00463F41), ref: 00463E44
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00463EF6,?,00000000,?,00000000,00463F14,?,00000001,00000000,00463F41), ref: 00463ED6
                                                                                                              • FindClose.KERNEL32(000000FF,00463EFD,00463EF6,?,00000000,?,00000000,00463F14,?,00000001,00000000,00463F41), ref: 00463EF0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 4011626565-0
                                                                                                              • Opcode ID: 69f2e1586f6ced2351afb285fdbfcdcd981e29f0042588a9f0969956ff0ee026
                                                                                                              • Instruction ID: 2cce399ef4bcfda7b326651f57ed136ac3b6341b478a121022c65868e2c33bfd
                                                                                                              • Opcode Fuzzy Hash: 69f2e1586f6ced2351afb285fdbfcdcd981e29f0042588a9f0969956ff0ee026
                                                                                                              • Instruction Fuzzy Hash: E341A730A006589FCB10EF65DC55ADEB7B8EB88305F4044BAF404A7381E77C9F448E59
                                                                                                              Function 0042E944 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452FB3,00000000,00452FD4), ref: 0042E966
                                                                                                              • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E991
                                                                                                              • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452FB3,00000000,00452FD4), ref: 0042E99E
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452FB3,00000000,00452FD4), ref: 0042E9A6
                                                                                                              • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452FB3,00000000,00452FD4), ref: 0042E9AC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 1177325624-0
                                                                                                              • Opcode ID: 773152c83aac0bdef36f70cbb87e69eedcc63596d5fbaed7a562e6c35b36d289
                                                                                                              • Instruction ID: 200206f6ebf05c62f8aab9c26c76e03d6a480d3026058df5ea69506491fbc91e
                                                                                                              • Opcode Fuzzy Hash: 773152c83aac0bdef36f70cbb87e69eedcc63596d5fbaed7a562e6c35b36d289
                                                                                                              • Instruction Fuzzy Hash: 34F06DB23916203AF620A17A6C86F6F018C8785B68F10423BBA14FF1D1D9A89D0655AD
                                                                                                              Function 00483E20 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 00483E5E
                                                                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 00483E7C
                                                                                                              • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049D0A8,0048333A,0048336E,00000000,0048338E,?,?,?,0049D0A8), ref: 00483E9E
                                                                                                              • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049D0A8,0048333A,0048336E,00000000,0048338E,?,?,?,0049D0A8), ref: 00483EB2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Show$IconicLong
                                                                                                              • String ID:
                                                                                                              • API String ID: 2754861897-0
                                                                                                              • Opcode ID: c386378a0c7f85d1cef37335c2bccc2b04846c6b77b58c4a4d67865339b810c4
                                                                                                              • Instruction ID: 4716aa9c85bcb67c2a447f96ffe7cd40772f798c99979f364c9f10fe2fefca1c
                                                                                                              • Opcode Fuzzy Hash: c386378a0c7f85d1cef37335c2bccc2b04846c6b77b58c4a4d67865339b810c4
                                                                                                              • Instruction Fuzzy Hash: 3C017C70A412416EE710BB29DC8AB6B23C45B14B09F48087BB8449B3A3DB3C9D8AC71C
                                                                                                              Function 004627F8 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,004628CC), ref: 00462850
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004628AC,?,00000000,?,00000000,004628CC), ref: 0046288C
                                                                                                              • FindClose.KERNEL32(000000FF,004628B3,004628AC,?,00000000,?,00000000,004628CC), ref: 004628A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseFirstNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 3541575487-0
                                                                                                              • Opcode ID: d4f80b4a2fb94837fc0fbcbe12dd3d6f714ac86ba5cd5b3d43aeac8edfdaadf3
                                                                                                              • Instruction ID: 841aaca985aa1eabcc65563c383ac57876b75d473b933154d1e9c72f52fa3cd7
                                                                                                              • Opcode Fuzzy Hash: d4f80b4a2fb94837fc0fbcbe12dd3d6f714ac86ba5cd5b3d43aeac8edfdaadf3
                                                                                                              • Instruction Fuzzy Hash: 3A210B31904A087FDB11FF65CD41ADEBBACDB49304F5045B7A808E32A1E67C8E44CE56
                                                                                                              Function 004241EC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 004241F4
                                                                                                              • SetActiveWindow.USER32(?,?,?,?,0046CE53), ref: 00424201
                                                                                                                • Part of subcall function 0042365C: ShowWindow.USER32(00410470,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                                                • Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,023225AC,0042421A,?,?,?,?,0046CE53), ref: 00423B5F
                                                                                                              • SetFocus.USER32(00000000,?,?,?,?,0046CE53), ref: 0042422E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveFocusIconicShow
                                                                                                              • String ID:
                                                                                                              • API String ID: 649377781-0
                                                                                                              • Opcode ID: 2caf509772b4e47572ac949d7f8b8f9ae0a5a4117a3619920a2f1982222ed166
                                                                                                              • Instruction ID: c379361f86f494b348edbf52cdf1d5c809bfbf5168ad2d96a2c3ff14c6914fef
                                                                                                              • Opcode Fuzzy Hash: 2caf509772b4e47572ac949d7f8b8f9ae0a5a4117a3619920a2f1982222ed166
                                                                                                              • Instruction Fuzzy Hash: B3F0DA717002209BDB10AFAAD8C5B9676A8EF48344B5541BBBD09DF35BCA7CDC018768
                                                                                                              Function 0042EE28 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 0042EE35
                                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000001), ref: 0042EE45
                                                                                                              • CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042EE6D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                                                                                              • String ID:
                                                                                                              • API String ID: 3525989157-0
                                                                                                              • Opcode ID: e535240892797685b4ab9d9c929302bfb3a48c93a5258e40853e85be58f26cad
                                                                                                              • Instruction ID: b330794617a7040f76ad0da05c7b1ee5a1856395dd3e8d048ce20caf316d4231
                                                                                                              • Opcode Fuzzy Hash: e535240892797685b4ab9d9c929302bfb3a48c93a5258e40853e85be58f26cad
                                                                                                              • Instruction Fuzzy Hash: 18E0C0B16443007EE200EE758C82F5F76DCDB48714F00483AB654DB1C1E679D9489B96
                                                                                                              Function 00417CDE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 00417D1F
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Placement$Iconic
                                                                                                              • String ID:
                                                                                                              • API String ID: 568898626-0
                                                                                                              • Opcode ID: 1c91201d2ff36bc72c7178dd8424e8fae2c9e4961405fe597c6cb80dc68efef3
                                                                                                              • Instruction ID: ae07cbcaee7307856f0de191e02e21b90635fd34b211f34cef32728ab7ec892e
                                                                                                              • Opcode Fuzzy Hash: 1c91201d2ff36bc72c7178dd8424e8fae2c9e4961405fe597c6cb80dc68efef3
                                                                                                              • Instruction Fuzzy Hash: 2A017C31204108ABCB10EE59E8C1EEA73A8AF44324F054567FD08CF242D638ECC087A8
                                                                                                              Function 004175A8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CaptureIconic
                                                                                                              • String ID:
                                                                                                              • API String ID: 2277910766-0
                                                                                                              • Opcode ID: a20d27f3b2ac0a1b3fa2ab67efc932bc7606427269a1e4b5a38f9b3ed8bb9e72
                                                                                                              • Instruction ID: 8b244cfd74e2e9025fb133a269c9ff628bd031c9e89e3e616ef14db29f4eec50
                                                                                                              • Opcode Fuzzy Hash: a20d27f3b2ac0a1b3fa2ab67efc932bc7606427269a1e4b5a38f9b3ed8bb9e72
                                                                                                              • Instruction Fuzzy Hash: CBF06232304A024BDB31A72EC885AEB62F59F88368B24443FE419C7765EB7CDCD58758
                                                                                                              Function 004241A4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 004241AB
                                                                                                                • Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                                                                • Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                                                                • Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                                                                • Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                                                              • SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF
                                                                                                                • Part of subcall function 0042365C: ShowWindow.USER32(00410470,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 2671590913-0
                                                                                                              • Opcode ID: 6a9b997a6a6cf91003675646eaf443a00e7e2891d5b78c90ff096ed1e4918312
                                                                                                              • Instruction ID: b7d9458b5e0a659a50abb462337f5bae1697c0dc3d856a04b5cc34dfb433b66f
                                                                                                              • Opcode Fuzzy Hash: 6a9b997a6a6cf91003675646eaf443a00e7e2891d5b78c90ff096ed1e4918312
                                                                                                              • Instruction Fuzzy Hash: 6CE01AA470010187DF00EFAADCC9B9632A8BF48304F55057ABC08CF24BDA3CC950C728
                                                                                                              Function 004125E8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NtdllProc_Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 4255912815-0
                                                                                                              • Opcode ID: 8e873b8b5c82bc258c14262f025a038593852d0d4569c028c12fccb2f86baf91
                                                                                                              • Instruction ID: e2daaee124a258af88011e7d59d1a34290a71591709d5bbd6185ea02eebcb9ba
                                                                                                              • Opcode Fuzzy Hash: 8e873b8b5c82bc258c14262f025a038593852d0d4569c028c12fccb2f86baf91
                                                                                                              • Instruction Fuzzy Hash: D851F6356082058FC710DB6AD681A9BF3E5FF98314B2482BBD824C7391D7B8EDA1C759
                                                                                                              Function 00478EFC Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0047904A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NtdllProc_Window
                                                                                                              • String ID:
                                                                                                              • API String ID: 4255912815-0
                                                                                                              • Opcode ID: 2acbb7ee23148c44530fb96b869e7794becc65d69925435b63a344be70e19465
                                                                                                              • Instruction ID: a31957f8146ee59bbe5f7cc321da5d64c206ff61d5be307610cda5dda3fb314a
                                                                                                              • Opcode Fuzzy Hash: 2acbb7ee23148c44530fb96b869e7794becc65d69925435b63a344be70e19465
                                                                                                              • Instruction Fuzzy Hash: 7C413575614144EFDB10CF9DC6858AAB7F6FB48310B24C996E84CDB301D739EE419B54
                                                                                                              Function 0045D2E4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ArcFourCrypt._ISCRYPT(?,?,?,0046DFA4,?,?,0046DFA4,00000000), ref: 0045D2EF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptFour
                                                                                                              • String ID:
                                                                                                              • API String ID: 2153018856-0
                                                                                                              • Opcode ID: f72980deaa919cf0bcca330c95d094571c0b9ac3099722338076af053f3dc2d8
                                                                                                              • Instruction ID: b6c4cc1f99ef2e52d606a12bd82df8b216d3beaef2de20ba66a0ab70ac2c171e
                                                                                                              • Opcode Fuzzy Hash: f72980deaa919cf0bcca330c95d094571c0b9ac3099722338076af053f3dc2d8
                                                                                                              • Instruction Fuzzy Hash: 81C09BF240420C7F65005795ECC9C77B75CE6586547404136F704831019572AC104574
                                                                                                              Function 0045D2FC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DC14,?,0046DDF5), ref: 0045D302
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptFour
                                                                                                              • String ID:
                                                                                                              • API String ID: 2153018856-0
                                                                                                              • Opcode ID: f277e602d1aa1d933ca60749d28492a83cf7560ca7b8b7592fc74e5de38efb5e
                                                                                                              • Instruction ID: 163ad57823698c1276c601513e35adbc52e9ec482f3283ddef75a5d9e9809592
                                                                                                              • Opcode Fuzzy Hash: f277e602d1aa1d933ca60749d28492a83cf7560ca7b8b7592fc74e5de38efb5e
                                                                                                              • Instruction Fuzzy Hash: 86A002F0F803007AFD2057615E0EF26252D97D0F05F2044757306EA0D085A5A401852C
                                                                                                              Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2907745655.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2907720377.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2907762863.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                              • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                                              • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                              • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                                              Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2907745655.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2907720377.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2907762863.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10000000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                              • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                                              • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 0044B6CC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0044B678: GetVersionExA.KERNEL32(00000094), ref: 0044B695
                                                                                                              • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F7E9,004992CA), ref: 0044B6F3
                                                                                                              • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B70B
                                                                                                              • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B71D
                                                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B72F
                                                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B741
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B753
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B765
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B777
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B789
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B79B
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B7AD
                                                                                                              • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B7BF
                                                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B7D1
                                                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B7E3
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B7F5
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B807
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B819
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B82B
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B83D
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B84F
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B861
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B873
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B885
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B897
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B8A9
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B8BB
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B8CD
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B8DF
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B8F1
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B903
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B915
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B927
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B939
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B94B
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B95D
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B96F
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B981
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B993
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B9A5
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B9B7
                                                                                                              • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B9C9
                                                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B9DB
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B9ED
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B9FF
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044BA11
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044BA23
                                                                                                              • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044BA35
                                                                                                              • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044BA47
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoadVersion
                                                                                                              • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                              • API String ID: 1968650500-2910565190
                                                                                                              • Opcode ID: a839ccb9c9a861a6ca06feeaf4f5b9cf9d009b24b8deb6d9a0dd113e88dab802
                                                                                                              • Instruction ID: 8a2f9fdf968ae37fa3cb46079294691732ee00746fcb1dbbaee87679a149b2ae
                                                                                                              • Opcode Fuzzy Hash: a839ccb9c9a861a6ca06feeaf4f5b9cf9d009b24b8deb6d9a0dd113e88dab802
                                                                                                              • Instruction Fuzzy Hash: D59153F0A40B51EBEB00EBB59CC6A2A37A8EB15B1471415BBB480EF295D778DC048F5D
                                                                                                              Function 0041CA1C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 0041CA50
                                                                                                              • CreateCompatibleDC.GDI32(?), ref: 0041CA5C
                                                                                                              • CreateBitmap.GDI32(0041A954,?,00000001,00000001,00000000), ref: 0041CA80
                                                                                                              • CreateCompatibleBitmap.GDI32(?,0041A954,?), ref: 0041CA90
                                                                                                              • SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
                                                                                                              • FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
                                                                                                              • SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
                                                                                                              • SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
                                                                                                              • PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
                                                                                                              • CreateCompatibleDC.GDI32(?), ref: 0041CB3B
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
                                                                                                              • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB84
                                                                                                              • RealizePalette.GDI32(00000000), ref: 0041CB8D
                                                                                                              • SelectPalette.GDI32(0041CE4C,00000000,00000001), ref: 0041CB9C
                                                                                                              • RealizePalette.GDI32(0041CE4C), ref: 0041CBA5
                                                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
                                                                                                              • SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
                                                                                                              • BitBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020), ref: 0041CBF1
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 0041CBFE
                                                                                                              • DeleteDC.GDI32(00000000), ref: 0041CC14
                                                                                                                • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 269503290-0
                                                                                                              • Opcode ID: cce4914916f1a7239ac88c37909b2d3847b69fcced41e26916e06273e7ac86df
                                                                                                              • Instruction ID: 4a976381369a00188f54b32674623e6c4b83415f3a667354aa154cca89d68730
                                                                                                              • Opcode Fuzzy Hash: cce4914916f1a7239ac88c37909b2d3847b69fcced41e26916e06273e7ac86df
                                                                                                              • Instruction Fuzzy Hash: 2C61EE71A44608AFDB10EBE9DC86FDFB7B8EF49704F14446AB504E7281D67CA940CB68
                                                                                                              Function 004566E0 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CoCreateInstance.OLE32(0049AA74,00000000,00000001,0049A774,?,00000000,00456A8B), ref: 00456726
                                                                                                              • CoCreateInstance.OLE32(0049A764,00000000,00000001,0049A774,?,00000000,00456A8B), ref: 0045674C
                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 00456903
                                                                                                              Strings
                                                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 004568E8
                                                                                                              • %ProgramFiles(x86)%\, xrefs: 004567D6
                                                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 00456899
                                                                                                              • IPersistFile::Save, xrefs: 00456A0A
                                                                                                              • CoCreateInstance, xrefs: 00456757
                                                                                                              • IPropertyStore::Commit, xrefs: 0045698B
                                                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045693A
                                                                                                              • {pf32}\, xrefs: 004567C6
                                                                                                              • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004569AC
                                                                                                              • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 00456972
                                                                                                              • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00456865
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateInstance$FreeString
                                                                                                              • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                                              • API String ID: 308859552-2363233914
                                                                                                              • Opcode ID: 4019791116f66badce9a962934a38fe6a925263bf281427cd9e28d1a80f6db8e
                                                                                                              • Instruction ID: 4df8bc5fd707d325f3bf8ee572e1ec6f0f953e2c79806aa5a0124fc00630fac3
                                                                                                              • Opcode Fuzzy Hash: 4019791116f66badce9a962934a38fe6a925263bf281427cd9e28d1a80f6db8e
                                                                                                              • Instruction Fuzzy Hash: CBB13170A00108AFDB50DFA9C985B9E7BF8AF49306F554066F804E7362DB78DD48CB69
                                                                                                              Function 00472D44 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 341COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472EFC
                                                                                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00473017
                                                                                                              • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0047302D
                                                                                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00473052
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                                              • String ID: .lnk$.pif$.url$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
                                                                                                              • API String ID: 971782779-2902529204
                                                                                                              • Opcode ID: c8d3714330c821f44f5f542ed692b99ce225314bcf0a3c632e85185b5bf0d038
                                                                                                              • Instruction ID: 2511324a254e809fb6cb6e6df698c04f534d896ef770860fda33365643b674db
                                                                                                              • Opcode Fuzzy Hash: c8d3714330c821f44f5f542ed692b99ce225314bcf0a3c632e85185b5bf0d038
                                                                                                              • Instruction Fuzzy Hash: 6FD12434A001499FDB01EFA9D582BDDBBF4EF08305F50806AF804B7392D6789E45DB69
                                                                                                              Function 00498AA8 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShowWindow.USER32(?,00000005,00000000,00498E40,?,?,00000000,?,00000000,00000000,?,004991F7,00000000,00499201,?,00000000), ref: 00498B2B
                                                                                                              • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498E40,?,?,00000000,?,00000000,00000000,?,004991F7,00000000), ref: 00498B3E
                                                                                                              • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498E40,?,?,00000000,?,00000000,00000000), ref: 00498B4E
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498B6F
                                                                                                              • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498E40,?,?,00000000,?,00000000), ref: 00498B7F
                                                                                                                • Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,00456126,00000000,0045618E), ref: 0042D491
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                                              • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                                              • API String ID: 2000705611-3672972446
                                                                                                              • Opcode ID: 91e92302dd04ccf1bd283404641ef03bf6b97a4a9fd2a5878dc4b21af6c4bdbe
                                                                                                              • Instruction ID: c4cf27df87ac7a7b4ea6ef339e5ba87e8767b77ee3c6798ab53da9e3a0f24a8a
                                                                                                              • Opcode Fuzzy Hash: 91e92302dd04ccf1bd283404641ef03bf6b97a4a9fd2a5878dc4b21af6c4bdbe
                                                                                                              • Instruction Fuzzy Hash: 09919330A042449FDF11EB69D852FAE7BA5EB4A304F51447AF400E72D2CA7CAC05CB6D
                                                                                                              Function 0045A780 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,0045AA3C,?,?,?,?,?,00000006,?,00000000,00497F35,?,00000000,00497FD8), ref: 0045A8EE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                                              • API String ID: 1452528299-3112430753
                                                                                                              • Opcode ID: 8a7e70ed7d2802cf2d1f154f993020eede7d014e1a3a8bb25d69fafc5e35e5ca
                                                                                                              • Instruction ID: 47b20d326fd82fe6504d69cf898c82eeddf784bf4f3b73b35613650615bf039f
                                                                                                              • Opcode Fuzzy Hash: 8a7e70ed7d2802cf2d1f154f993020eede7d014e1a3a8bb25d69fafc5e35e5ca
                                                                                                              • Instruction Fuzzy Hash: D171A030B042546BDB00EB6988827AE7BA49F48305F50856BFC01EB383CB7CDE59C75A
                                                                                                              Function 0045CC68 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32 ref: 0045CC82
                                                                                                              • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CCA2
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CCAF
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CCBC
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CCCA
                                                                                                                • Part of subcall function 0045CB70: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CC0F,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CBE9
                                                                                                              • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CEBD,?,?,00000000), ref: 0045CD83
                                                                                                              • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CEBD,?,?,00000000), ref: 0045CD8C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                                              • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                                              • API String ID: 59345061-4263478283
                                                                                                              • Opcode ID: c6057923a5b4aa5def86807270a108e59673eb775b044adeceaa0b76775d665d
                                                                                                              • Instruction ID: e70f229ab34f11e3bb96b7fa9db8dd957f06ce772e443448e3a5811e0bd6c06d
                                                                                                              • Opcode Fuzzy Hash: c6057923a5b4aa5def86807270a108e59673eb775b044adeceaa0b76775d665d
                                                                                                              • Instruction Fuzzy Hash: BA5195B1900704EFDB10DF99C881BEEB7B9EB48715F14806AF915F7282C2789945CF69
                                                                                                              Function 0041B3BC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0041B3D3
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0041B3DD
                                                                                                              • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
                                                                                                              • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B406
                                                                                                              • GetDC.USER32(00000000), ref: 0041B412
                                                                                                              • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B43F
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041B465
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                                              • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                                              • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                                              • String ID:
                                                                                                              • API String ID: 644427674-0
                                                                                                              • Opcode ID: a07e3cbb24df5042cba66812f0bcbe2bed2d5bf396793bbd6052f972fec3ec6c
                                                                                                              • Instruction ID: 6b909a1540c808143a27ece7eebc35972739c5532850bae840edfb4e77f88e68
                                                                                                              • Opcode Fuzzy Hash: a07e3cbb24df5042cba66812f0bcbe2bed2d5bf396793bbd6052f972fec3ec6c
                                                                                                              • Instruction Fuzzy Hash: 5641CE71E44609AFDB10DAE9C846FEFB7BCEB08704F104466B614F7282C7786D408BA8
                                                                                                              Function 004548E8 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegQueryValueExA.ADVAPI32(0045AC12,00000000,00000000,?,00000000,?,00000000,00454B81,?,0045AC12,00000003,00000000,00000000,00454BB8), ref: 00454A01
                                                                                                                • Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004532E7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                                              • RegQueryValueExA.ADVAPI32(0045AC12,00000000,00000000,00000000,?,00000004,00000000,00454ACB,?,0045AC12,00000000,00000000,?,00000000,?,00000000), ref: 00454A85
                                                                                                              • RegQueryValueExA.ADVAPI32(0045AC12,00000000,00000000,00000000,?,00000004,00000000,00454ACB,?,0045AC12,00000000,00000000,?,00000000,?,00000000), ref: 00454AB4
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045491F
                                                                                                              • RegOpenKeyEx, xrefs: 00454984
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454958
                                                                                                              • , xrefs: 00454972
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue$FormatMessageOpen
                                                                                                              • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                              • API String ID: 2812809588-1577016196
                                                                                                              • Opcode ID: ea363e332115dfb8c4c67b8ec304858bf906e1cf5f24106764d4d2bb4c48bf73
                                                                                                              • Instruction ID: f9892de48a8f191bc49ac76cf4be280f3350b447777e8b89a87aacf0c036b8b5
                                                                                                              • Opcode Fuzzy Hash: ea363e332115dfb8c4c67b8ec304858bf906e1cf5f24106764d4d2bb4c48bf73
                                                                                                              • Instruction Fuzzy Hash: 31912571E44208ABDB41DB95C941BDEB7FCEB89309F10447BF900FB282D6789E458B69
                                                                                                              Function 00459500 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0045940C: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459549,00000000,00459701,?,00000000,00000000,00000000), ref: 00459459
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459701,?,00000000,00000000,00000000), ref: 004595A7
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459701,?,00000000,00000000,00000000), ref: 00459611
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459701,?,00000000,00000000,00000000), ref: 00459678
                                                                                                              Strings
                                                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 004595C4
                                                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 0045962B
                                                                                                              • .NET Framework version %s not found, xrefs: 004596B1
                                                                                                              • v1.1.4322, xrefs: 0045966A
                                                                                                              • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 0045955A
                                                                                                              • .NET Framework not found, xrefs: 004596C5
                                                                                                              • v4.0.30319, xrefs: 00459599
                                                                                                              • v2.0.50727, xrefs: 00459603
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$Open
                                                                                                              • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                                              • API String ID: 2976201327-446240816
                                                                                                              • Opcode ID: dc1a9eed719738aac385137c6c32649b7aafbb0fa5d830984bf6fd88e0841277
                                                                                                              • Instruction ID: 13449528a83cd7bd3976393389562d3fcc4363bdf2ba35ed2198dacadad7a936
                                                                                                              • Opcode Fuzzy Hash: dc1a9eed719738aac385137c6c32649b7aafbb0fa5d830984bf6fd88e0841277
                                                                                                              • Instruction Fuzzy Hash: FC51B135A04145EBCB01DF64C8A1BEE77A6DB89305F54447BE8019B393EB3D9E0E8B18
                                                                                                              Function 00458AEC Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00458B23
                                                                                                              • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458B3F
                                                                                                              • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458B4D
                                                                                                              • GetExitCodeProcess.KERNEL32(?), ref: 00458B5E
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458BA5
                                                                                                              • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458BC1
                                                                                                              Strings
                                                                                                              • Helper process exited., xrefs: 00458B6D
                                                                                                              • Helper isn't responding; killing it., xrefs: 00458B2F
                                                                                                              • Stopping 64-bit helper process. (PID: %u), xrefs: 00458B15
                                                                                                              • Helper process exited, but failed to get exit code., xrefs: 00458B97
                                                                                                              • Helper process exited with failure code: 0x%x, xrefs: 00458B8B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                                              • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                                              • API String ID: 3355656108-1243109208
                                                                                                              • Opcode ID: 580926d47f07d23538b7e0810c5f2f20b36629562999f9b1b12c58acf7172f57
                                                                                                              • Instruction ID: 7e49c79e8349cf5087e4bea88bd9331b7e76427b7ebfc1862ecfa5aa0db55867
                                                                                                              • Opcode Fuzzy Hash: 580926d47f07d23538b7e0810c5f2f20b36629562999f9b1b12c58acf7172f57
                                                                                                              • Instruction Fuzzy Hash: 462162706047409BC760E77DC442B5B76D89F44305F008C2EB999E7283DF7CE8489B6A
                                                                                                              Function 0045459C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DDF4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE20
                                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00454773,?,00000000,00454837), ref: 004546C3
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00454773,?,00000000,00454837), ref: 004547FF
                                                                                                                • Part of subcall function 0042E8D8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004532E7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8F7
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004545DB
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045460B
                                                                                                              • , xrefs: 00454625
                                                                                                              • RegCreateKeyEx, xrefs: 00454637
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateFormatMessageQueryValue
                                                                                                              • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                              • API String ID: 2481121983-1280779767
                                                                                                              • Opcode ID: 4922b32db45267d894a4643b09a92539c43c37ba3b1ac319da150b9eb09741db
                                                                                                              • Instruction ID: dcb2efb4518004930bb79e36ff4c26a26f41c5c3291808b61d16842317edebf7
                                                                                                              • Opcode Fuzzy Hash: 4922b32db45267d894a4643b09a92539c43c37ba3b1ac319da150b9eb09741db
                                                                                                              • Instruction Fuzzy Hash: E6810175A00209AFDB00EFD5C941BEEB7B9EB49305F50442AF900FB282D7789A45CB69
                                                                                                              Function 00497328 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00453930: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004974F9,_iu,?,00000000,00453A6A), ref: 00453A1F
                                                                                                                • Part of subcall function 00453930: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004974F9,_iu,?,00000000,00453A6A), ref: 00453A2F
                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004973A5
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004974F9), ref: 004973C6
                                                                                                              • CreateWindowExA.USER32(00000000,STATIC,00497508,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004973ED
                                                                                                              • SetWindowLongA.USER32(?,000000FC,00496B80), ref: 00497400
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004974CC,?,?,000000FC,00496B80,00000000,STATIC,00497508), ref: 00497430
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004974A4
                                                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004974CC,?,?,000000FC,00496B80,00000000), ref: 004974B0
                                                                                                                • Part of subcall function 00453DA4: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E8B
                                                                                                              • DestroyWindow.USER32(?,004974D3,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004974CC,?,?,000000FC,00496B80,00000000,STATIC), ref: 004974C6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                                              • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                                              • API String ID: 1549857992-2312673372
                                                                                                              • Opcode ID: 0ab8c79763325155dd79793700a727a6f2b3fb3e9c7f7600a3a4c1d4aca0dfea
                                                                                                              • Instruction ID: a44cfd94a4b3d096a525e7606d5a2dde299b278b8d360b581aa2f7a861fbb15f
                                                                                                              • Opcode Fuzzy Hash: 0ab8c79763325155dd79793700a727a6f2b3fb3e9c7f7600a3a4c1d4aca0dfea
                                                                                                              • Instruction Fuzzy Hash: 1A414370A54208AFDF00EFA5DC52F9E7BB8EB09714F514576F900F7292D6799A00CB68
                                                                                                              Function 00462A98 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetActiveWindow.USER32 ref: 00462AA4
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462AB8
                                                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462AC5
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462AD2
                                                                                                              • GetWindowRect.USER32(?,00000000), ref: 00462B1E
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462B5C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                              • API String ID: 2610873146-3407710046
                                                                                                              • Opcode ID: f4d6e5fad0b29dbe73c49a3dd9bbec29a3ac53327e7f71340f51527231a6598f
                                                                                                              • Instruction ID: 79ef3469d7d3f88cabd24b86f5758d16992ed885f8e8d733778c3d92ea40af4d
                                                                                                              • Opcode Fuzzy Hash: f4d6e5fad0b29dbe73c49a3dd9bbec29a3ac53327e7f71340f51527231a6598f
                                                                                                              • Instruction Fuzzy Hash: F6219276B05A046BD600DE68CD81F7B3799DB88F14F09052AF944DB3C2EAB8ED004B5A
                                                                                                              Function 0042F1E8 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetActiveWindow.USER32 ref: 0042F1F4
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F208
                                                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F215
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F222
                                                                                                              • GetWindowRect.USER32(?,00000000), ref: 0042F26E
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F2AC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                              • API String ID: 2610873146-3407710046
                                                                                                              • Opcode ID: 7dac0dfa7658a4558a2e8796b90453688b6c981995994b626f0caacaebe10860
                                                                                                              • Instruction ID: cafee556b4ff86616240ec82e2754e32886365cebaf319099c414f584e750c92
                                                                                                              • Opcode Fuzzy Hash: 7dac0dfa7658a4558a2e8796b90453688b6c981995994b626f0caacaebe10860
                                                                                                              • Instruction Fuzzy Hash: 3421D77A704614ABD300D664DD81F3B33E4DB89B14F89057AFD40DB381DA79DC084BA9
                                                                                                              Function 00458CC4 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458EA3,?,00000000,00458F06,?,?,02323858,00000000), ref: 00458D21
                                                                                                              • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02323858,?,00000000,00458E38,?,00000000,00000001,00000000,00000000,00000000,00458EA3), ref: 00458D7E
                                                                                                              • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02323858,?,00000000,00458E38,?,00000000,00000001,00000000,00000000,00000000,00458EA3), ref: 00458D8B
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458DD7
                                                                                                              • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458E11,?,-00000020,0000000C,-00004034,00000014,02323858,?,00000000,00458E38,?,00000000), ref: 00458DFD
                                                                                                              • GetLastError.KERNEL32(?,?,00000000,00000001,00458E11,?,-00000020,0000000C,-00004034,00000014,02323858,?,00000000,00458E38,?,00000000), ref: 00458E04
                                                                                                                • Part of subcall function 00453510: GetLastError.KERNEL32(00000000,004540A5,00000005,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D,00000000), ref: 00453513
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                                              • String ID: CreateEvent$TransactNamedPipe
                                                                                                              • API String ID: 2182916169-3012584893
                                                                                                              • Opcode ID: 98c2342ffc13102a86a2f4ad38db514fb9186628fbfdf3c783b7ad9eec6d73f4
                                                                                                              • Instruction ID: b755420f5ccc64554a28e8d5f72de5b6a69c50c517f2f1d69fd7c456eb535d6c
                                                                                                              • Opcode Fuzzy Hash: 98c2342ffc13102a86a2f4ad38db514fb9186628fbfdf3c783b7ad9eec6d73f4
                                                                                                              • Instruction Fuzzy Hash: 4A417371A00608EFDB15DF95CD81F9EB7F9EB48715F10406AF904E7292DA789E44CB28
                                                                                                              Function 00456DC8 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456F2D,?,?,00000031,?), ref: 00456DF0
                                                                                                              • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456DF6
                                                                                                              • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456E43
                                                                                                                • Part of subcall function 00453510: GetLastError.KERNEL32(00000000,004540A5,00000005,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D,00000000), ref: 00453513
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                                              • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                                              • API String ID: 1914119943-2711329623
                                                                                                              • Opcode ID: 7b1ec654037b0c607dfe6d04a3082381f0cbc5cf9cb070b5b8bf219295e165cb
                                                                                                              • Instruction ID: 2b224e74544e423aed3b5227b18181137566e670263372cbc00570a3e14d3cd7
                                                                                                              • Opcode Fuzzy Hash: 7b1ec654037b0c607dfe6d04a3082381f0cbc5cf9cb070b5b8bf219295e165cb
                                                                                                              • Instruction Fuzzy Hash: 2B319275A00504AFDB11EFAACC42D5FB7BEEB89705752846AF804D3652DA38DD04CB28
                                                                                                              Function 0042E428 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047EB60,00000000), ref: 0042E451
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E457
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E52D,?,00000000,0047EB60,00000000), ref: 0042E4A5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressCloseHandleModuleProc
                                                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                              • API String ID: 4190037839-2401316094
                                                                                                              • Opcode ID: 761438a972c1d8afd23800e57b4d549b524e079593dc70a8e3d34b505a119004
                                                                                                              • Instruction ID: 3fe9fe372c4d794b24d5987f6434f9a2f248a379bc076d0360e6e1ac237d63e0
                                                                                                              • Opcode Fuzzy Hash: 761438a972c1d8afd23800e57b4d549b524e079593dc70a8e3d34b505a119004
                                                                                                              • Instruction Fuzzy Hash: 16216430B10219BBCB10EAF7DC45A9E77A8EB04308FA04877A500E7281EB7CDE459B5D
                                                                                                              Function 00416D90 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RectVisible.GDI32(?,?), ref: 00416E23
                                                                                                              • SaveDC.GDI32(?), ref: 00416E37
                                                                                                              • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
                                                                                                              • RestoreDC.GDI32(?,?), ref: 00416E75
                                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416EF5
                                                                                                              • FrameRect.USER32(?,?,?), ref: 00416F28
                                                                                                              • DeleteObject.GDI32(?), ref: 00416F32
                                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00416F42
                                                                                                              • FrameRect.USER32(?,?,?), ref: 00416F75
                                                                                                              • DeleteObject.GDI32(?), ref: 00416F7F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                                              • String ID:
                                                                                                              • API String ID: 375863564-0
                                                                                                              • Opcode ID: db6c70493318213a3b2cdd544b125370fd54b269ad31cfd686a9519e7a86e3c4
                                                                                                              • Instruction ID: c727efbf8946963a4c0451e641fd5f3f57076e2c2b79ed229a1c60f75d7412ee
                                                                                                              • Opcode Fuzzy Hash: db6c70493318213a3b2cdd544b125370fd54b269ad31cfd686a9519e7a86e3c4
                                                                                                              • Instruction Fuzzy Hash: A0513AB12047455FDB50EF69C8C4B9B77E8AF48314F1546AAFD488B286C738EC81CB99
                                                                                                              Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                                              • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                                              • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                              • String ID:
                                                                                                              • API String ID: 1694776339-0
                                                                                                              • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                              • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                                              • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                              • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                                              Function 004221F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMenu.USER32(00000000,00000000), ref: 00422243
                                                                                                              • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
                                                                                                              • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
                                                                                                              • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
                                                                                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
                                                                                                              • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
                                                                                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
                                                                                                              • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
                                                                                                              • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
                                                                                                              • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Delete$EnableItem$System
                                                                                                              • String ID:
                                                                                                              • API String ID: 3985193851-0
                                                                                                              • Opcode ID: b2f1750b03ba79d273c55ca6812263c276687b20c7bac49dc024d7f30c6f7dfa
                                                                                                              • Instruction ID: efa19709b170cd1c2d0de868379c086f5835f405e594c588ded1d161c250978f
                                                                                                              • Opcode Fuzzy Hash: b2f1750b03ba79d273c55ca6812263c276687b20c7bac49dc024d7f30c6f7dfa
                                                                                                              • Instruction Fuzzy Hash: 112124703807447AE720E725CD8BF9B7BD89B04718F5440A9BA48BF2D3C6F9AA40865C
                                                                                                              Function 00481D38 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FreeLibrary.KERNEL32(10000000), ref: 00481EF5
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00481F09
                                                                                                              • SendNotifyMessageA.USER32(00010434,00000496,00002710,00000000), ref: 00481F7B
                                                                                                              Strings
                                                                                                              • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481F2A
                                                                                                              • DeinitializeSetup, xrefs: 00481DF1
                                                                                                              • Restarting Windows., xrefs: 00481F56
                                                                                                              • Deinitializing Setup., xrefs: 00481D56
                                                                                                              • GetCustomSetupExitCode, xrefs: 00481D95
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeLibrary$MessageNotifySend
                                                                                                              • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                                              • API String ID: 3817813901-1884538726
                                                                                                              • Opcode ID: c898f3fadde3ff7955209d5f4aceb7b29c199a3380d9c61b05ec390ed495ea4d
                                                                                                              • Instruction ID: 9e00769445d4a0c849b2d818ef4b464354af313f5be9db4beddfa23a64d09d3b
                                                                                                              • Opcode Fuzzy Hash: c898f3fadde3ff7955209d5f4aceb7b29c199a3380d9c61b05ec390ed495ea4d
                                                                                                              • Instruction Fuzzy Hash: 0C518031A04200AFD715EF69D845B5E7BA8EB19318F50887BF905C72B1D738A845CB59
                                                                                                              Function 00461734 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SHGetMalloc.SHELL32(?), ref: 0046176F
                                                                                                              • GetActiveWindow.USER32 ref: 004617D3
                                                                                                              • CoInitialize.OLE32(00000000), ref: 004617E7
                                                                                                              • SHBrowseForFolder.SHELL32(?), ref: 004617FE
                                                                                                              • CoUninitialize.OLE32(0046183F,00000000,?,?,?,?,?,00000000,004618C3), ref: 00461813
                                                                                                              • SetActiveWindow.USER32(?,0046183F,00000000,?,?,?,?,?,00000000,004618C3), ref: 00461829
                                                                                                              • SetActiveWindow.USER32(?,?,0046183F,00000000,?,?,?,?,?,00000000,004618C3), ref: 00461832
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                                              • String ID: A
                                                                                                              • API String ID: 2684663990-3554254475
                                                                                                              • Opcode ID: c8a2995f1564064eb5a34001aee608c8ce9a85b4cfccd82670955085ca8b405e
                                                                                                              • Instruction ID: ed33581d6f83e257b2021294155b7b183ce5e349162e4ad67cdd841697ea343d
                                                                                                              • Opcode Fuzzy Hash: c8a2995f1564064eb5a34001aee608c8ce9a85b4cfccd82670955085ca8b405e
                                                                                                              • Instruction Fuzzy Hash: DD31F0B1E00248AFDB11EFA6D885A9EBBF8EB09304F55447BF804E7251E7785A04CB59
                                                                                                              Function 00472BF4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00472CB5,?,?,?,00000008,00000000,00000000,00000000,?,00472F11,?,?,00000000,00473194), ref: 00472C18
                                                                                                                • Part of subcall function 0042CDA4: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE1A
                                                                                                                • Part of subcall function 00406F60: DeleteFileA.KERNEL32(00000000,0049C628,00498DC9,00000000,00498E1E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F6B
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472CB5,?,?,?,00000008,00000000,00000000,00000000,?,00472F11), ref: 00472C8F
                                                                                                              • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472CB5,?,?,?,00000008,00000000,00000000,00000000), ref: 00472C95
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                                              • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                                              • API String ID: 884541143-1710247218
                                                                                                              • Opcode ID: 66cca181f9b721833913324fb941b36821abb62f62904710aeac79635de6a3b1
                                                                                                              • Instruction ID: 65975e4bd8cd76c9bb0fe38812e038ff2f06eb36f2e037c13b6dabf628133507
                                                                                                              • Opcode Fuzzy Hash: 66cca181f9b721833913324fb941b36821abb62f62904710aeac79635de6a3b1
                                                                                                              • Instruction Fuzzy Hash: 9511D0307005147FD712EA759E82B9E76ACDB59714F61853BB804A72C1DBBCAE02866C
                                                                                                              Function 0045D35C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D365
                                                                                                              • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D375
                                                                                                              • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D385
                                                                                                              • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D395
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc
                                                                                                              • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                                              • API String ID: 190572456-3516654456
                                                                                                              • Opcode ID: dc90f1f262602021e393954f48f97557164b85cd901e8b5ff6cac9b118bc13cf
                                                                                                              • Instruction ID: a094d50e791027cbd3930c6bcb0dd8b00ad2176992dcb97735ddb1afc71f87fe
                                                                                                              • Opcode Fuzzy Hash: dc90f1f262602021e393954f48f97557164b85cd901e8b5ff6cac9b118bc13cf
                                                                                                              • Instruction Fuzzy Hash: 170128B0D00700DAE324DF36AC4272636A5EFA430EF14903BAD48962B7D779485B9A2D
                                                                                                              Function 0041A8EC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041A9C9
                                                                                                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041AA03
                                                                                                              • SetBkColor.GDI32(?,?), ref: 0041AA18
                                                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
                                                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
                                                                                                              • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
                                                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
                                                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
                                                                                                              • SetBkColor.GDI32(00000000,?), ref: 0041AAD3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$StretchText
                                                                                                              • String ID:
                                                                                                              • API String ID: 2984075790-0
                                                                                                              • Opcode ID: 346bdf56f45da54f900b88fa69c46fff65611cbab2d21c5c69379b94b51b0a6c
                                                                                                              • Instruction ID: 3742fc556daaed9ad14d930c470d40cb5efd251a519f467f7f8e710c3ba79c5e
                                                                                                              • Opcode Fuzzy Hash: 346bdf56f45da54f900b88fa69c46fff65611cbab2d21c5c69379b94b51b0a6c
                                                                                                              • Instruction Fuzzy Hash: A561E5B5A00105EFCB40EFA9D985E9ABBF8EF08314B108166F518DB261CB34ED50CF99
                                                                                                              Function 0045816C Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458320,?, /s ",?,regsvr32.exe",?,00458320), ref: 00458292
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseDirectoryHandleSystem
                                                                                                              • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                                              • API String ID: 2051275411-1862435767
                                                                                                              • Opcode ID: 094f14b588af688cd7db8b552fab67cbd0f69cfd9e563acb8ae8cd2159047a0a
                                                                                                              • Instruction ID: 3217153a075e29e22e4edd5f99a32045657764684ff44c5b21fe10df6120cd58
                                                                                                              • Opcode Fuzzy Hash: 094f14b588af688cd7db8b552fab67cbd0f69cfd9e563acb8ae8cd2159047a0a
                                                                                                              • Instruction Fuzzy Hash: 28411770A00308ABDB10EFD5C842BDEB7F9AF45705F50407FA904BB292DF799A098B59
                                                                                                              Function 0044D1EC Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OffsetRect.USER32(?,00000001,00000001), ref: 0044D21D
                                                                                                              • GetSysColor.USER32(00000014), ref: 0044D224
                                                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044D23C
                                                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D265
                                                                                                              • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D26F
                                                                                                              • GetSysColor.USER32(00000010), ref: 0044D276
                                                                                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044D28E
                                                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D2B7
                                                                                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D2E2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Text$Color$Draw$OffsetRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 1005981011-0
                                                                                                              • Opcode ID: 0c9f13fdac39b7e8032be21cb884e4f523a93d5be2f974ed7a515f91e2df11ad
                                                                                                              • Instruction ID: bddce6b53f256ac6c171d17b767d3a31006e7acd236a538b09f11432ecbe9b7c
                                                                                                              • Opcode Fuzzy Hash: 0c9f13fdac39b7e8032be21cb884e4f523a93d5be2f974ed7a515f91e2df11ad
                                                                                                              • Instruction Fuzzy Hash: 6921AFB42015047FC710FB6ACD8AE8B7BDC9F19319B01857AB918EB392C678DE404669
                                                                                                              Function 00496BCC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004509A0: SetEndOfFile.KERNEL32(?,?,0045C3EA,00000000,0045C575,?,00000000,00000002,00000002), ref: 004509A7
                                                                                                                • Part of subcall function 00406F60: DeleteFileA.KERNEL32(00000000,0049C628,00498DC9,00000000,00498E1E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F6B
                                                                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496C5D
                                                                                                              • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496C71
                                                                                                              • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00496C8B
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00496C97
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00496C9D
                                                                                                              • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00496CB0
                                                                                                              Strings
                                                                                                              • Deleting Uninstall data files., xrefs: 00496BD3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                                              • String ID: Deleting Uninstall data files.
                                                                                                              • API String ID: 1570157960-2568741658
                                                                                                              • Opcode ID: 1ff474fed9ee097c96215d717bbe635fc8fb99da6ef0c3667258a19916fdf94b
                                                                                                              • Instruction ID: 97c3483cac018c5983fbae276c25bca061d0eb7c138ea963c76b2828a35483b6
                                                                                                              • Opcode Fuzzy Hash: 1ff474fed9ee097c96215d717bbe635fc8fb99da6ef0c3667258a19916fdf94b
                                                                                                              • Instruction Fuzzy Hash: A0215371704204BFEB11EB7AED42B263BA8D75975CF52443BB501971A2D67CAC01CB2D
                                                                                                              Function 004703F4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004704F1,?,?,?,?,00000000), ref: 0047045B
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004704F1), ref: 00470472
                                                                                                              • AddFontResourceA.GDI32(00000000), ref: 0047048F
                                                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004704A3
                                                                                                              Strings
                                                                                                              • Failed to set value in Fonts registry key., xrefs: 00470464
                                                                                                              • Failed to open Fonts registry key., xrefs: 00470479
                                                                                                              • AddFontResource, xrefs: 004704AD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                                              • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                                              • API String ID: 955540645-649663873
                                                                                                              • Opcode ID: 38b82f5f3b64ce6b3544e272c3aeff7abd196abe9590372e985aa06f0b830a89
                                                                                                              • Instruction ID: 7097c2831d41c9cd2ca76b8e30f6fd32102657c6dd1fb14c708e758a2e1a6bb0
                                                                                                              • Opcode Fuzzy Hash: 38b82f5f3b64ce6b3544e272c3aeff7abd196abe9590372e985aa06f0b830a89
                                                                                                              • Instruction Fuzzy Hash: 6421C770741204BBD710EA669C42FAE679DDB54704F50843BBA04FB3C2D67CAE05466D
                                                                                                              Function 00462ED8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                                                • Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                                                • Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE
                                                                                                              • GetVersion.KERNEL32 ref: 00462F08
                                                                                                              • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462F46
                                                                                                              • SHGetFileInfo.SHELL32(00462FE4,00000000,?,00000160,00004011), ref: 00462F63
                                                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00462F81
                                                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00462FE4,00000000,?,00000160,00004011), ref: 00462F87
                                                                                                              • SetCursor.USER32(?,00462FC7,00007F02,00462FE4,00000000,?,00000160,00004011), ref: 00462FBA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                                              • String ID: Explorer
                                                                                                              • API String ID: 2594429197-512347832
                                                                                                              • Opcode ID: 96f263f28a0c5ccb9cf997cde3498094f1a70322a781246ee7820a3eb8b88b0c
                                                                                                              • Instruction ID: e6c52dcece90e3493be9f15e0e64570b8c3e052e326357339ba6e8db1b4e70e7
                                                                                                              • Opcode Fuzzy Hash: 96f263f28a0c5ccb9cf997cde3498094f1a70322a781246ee7820a3eb8b88b0c
                                                                                                              • Instruction Fuzzy Hash: 80210A707447047AE714BB758D87F9A76989B04708F4004BFB609EE1C3DAFC9805966D
                                                                                                              Function 004787AC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02322C1C,?,?,?,02322C1C,00478970,00000000,00478A8E,?,?,?,?), ref: 004787C5
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004787CB
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02322C1C,?,?,?,02322C1C,00478970,00000000,00478A8E,?,?,?,?), ref: 004787DE
                                                                                                              • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02322C1C,?,?,?,02322C1C), ref: 00478808
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,02322C1C,00478970,00000000,00478A8E,?,?,?,?), ref: 00478826
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                                              • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                                              • API String ID: 2704155762-2318956294
                                                                                                              • Opcode ID: 14f21087db484bbe1d5e4b5a8bc4cc83b4293264f889a619fd0c4b3a846a45dc
                                                                                                              • Instruction ID: b4b4eb6e882b21a3e38edc8c56477b2b3cf7b2a6488eba7606f3a3958a626299
                                                                                                              • Opcode Fuzzy Hash: 14f21087db484bbe1d5e4b5a8bc4cc83b4293264f889a619fd0c4b3a846a45dc
                                                                                                              • Instruction Fuzzy Hash: A101D6717C470436E52035AB4C8AFBB654C8B50769F65813F7A5CEA2C2DEAC8D0601AF
                                                                                                              Function 00459EB4 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,0045A036,?,00000000,00000000,00000000,?,00000006,?,00000000,00497F35,?,00000000,00497FD8), ref: 00459F7A
                                                                                                                • Part of subcall function 00454468: FindClose.KERNEL32(000000FF,0045455E), ref: 0045454D
                                                                                                              Strings
                                                                                                              • Deleting directory: %s, xrefs: 00459F03
                                                                                                              • Stripped read-only attribute., xrefs: 00459F3C
                                                                                                              • Failed to strip read-only attribute., xrefs: 00459F48
                                                                                                              • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459F54
                                                                                                              • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459FEF
                                                                                                              • Failed to delete directory (%d)., xrefs: 0045A010
                                                                                                              • Failed to delete directory (%d). Will retry later., xrefs: 00459F93
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseErrorFindLast
                                                                                                              • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                                              • API String ID: 754982922-1448842058
                                                                                                              • Opcode ID: 108d6f8d37026f2bdf90fc188fb77551ed7727444c0280258668295353b09f4f
                                                                                                              • Instruction ID: f7c933924608f42955d773fda0cc7ecec7f056cd1af039b488d7310b1683b7b3
                                                                                                              • Opcode Fuzzy Hash: 108d6f8d37026f2bdf90fc188fb77551ed7727444c0280258668295353b09f4f
                                                                                                              • Instruction Fuzzy Hash: 2741AF30A142459ACB14DF6988013AEBAA59F4970AF50867BAC05D73C3CB7D8D1DC75E
                                                                                                              Function 00422E60 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCapture.USER32 ref: 00422EB4
                                                                                                              • GetCapture.USER32 ref: 00422EC3
                                                                                                              • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
                                                                                                              • ReleaseCapture.USER32 ref: 00422ECE
                                                                                                              • GetActiveWindow.USER32 ref: 00422EDD
                                                                                                              • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
                                                                                                              • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
                                                                                                              • GetActiveWindow.USER32 ref: 00422FCF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                              • String ID:
                                                                                                              • API String ID: 862346643-0
                                                                                                              • Opcode ID: 68a87140416b020399d93bb5315a0a21c376da3895e44649e19dd4425ce1cb21
                                                                                                              • Instruction ID: 5ea5fd569023dc8c87c0f060f2033c8effa86d07781bc97308b393d06b21a190
                                                                                                              • Opcode Fuzzy Hash: 68a87140416b020399d93bb5315a0a21c376da3895e44649e19dd4425ce1cb21
                                                                                                              • Instruction Fuzzy Hash: 42414F70B00254AFDB10EB69DA82B9E77F1EF48304F5540BAF500AB292D7B89E40DB58
                                                                                                              Function 00429490 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 0042949A
                                                                                                              • GetTextMetricsA.GDI32(00000000), ref: 004294A3
                                                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294B2
                                                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004294C6
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 004294CE
                                                                                                              • GetSystemMetrics.USER32(00000006), ref: 004294F3
                                                                                                              • GetSystemMetrics.USER32(00000006), ref: 0042950D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 1583807278-0
                                                                                                              • Opcode ID: f653b88d646d5855613b637c91f02c053f26aae7c72922398ebfcd233ccf026a
                                                                                                              • Instruction ID: 697d7c7282338d87a55ab62dd7e79ac53eeb01c5e9ca74f61c727bf968a75029
                                                                                                              • Opcode Fuzzy Hash: f653b88d646d5855613b637c91f02c053f26aae7c72922398ebfcd233ccf026a
                                                                                                              • Instruction Fuzzy Hash: 4B01E1517087113AF311767A8CC2F6F65C8CB48348F44043AFA46963D3D96C9C81872A
                                                                                                              Function 0041DE34 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 0041DE37
                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE41
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041DE4E
                                                                                                              • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
                                                                                                              • GetStockObject.GDI32(00000007), ref: 0041DE6B
                                                                                                              • GetStockObject.GDI32(00000005), ref: 0041DE77
                                                                                                              • GetStockObject.GDI32(0000000D), ref: 0041DE83
                                                                                                              • LoadIconA.USER32(00000000,00007F00), ref: 0041DE94
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 225703358-0
                                                                                                              • Opcode ID: 9e6aef158aae43a64748e55fd0ac7cd53bc5d466c5663c5b8304b383878f9cfe
                                                                                                              • Instruction ID: 417a648a5fb8aa5baf3b27a45d37177240889d53830a96f1de9ccb55acdbe8d0
                                                                                                              • Opcode Fuzzy Hash: 9e6aef158aae43a64748e55fd0ac7cd53bc5d466c5663c5b8304b383878f9cfe
                                                                                                              • Instruction Fuzzy Hash: D0113D706443015AE340FFA65992BAA3690EB24709F00913FF609AF3D1DA7E1C849B6E
                                                                                                              Function 004632E8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 004633EC
                                                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,00463481), ref: 004633F2
                                                                                                              • SetCursor.USER32(?,00463469,00007F02,00000000,00463481), ref: 0046345C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$Load
                                                                                                              • String ID: $ $Internal error: Item already expanding
                                                                                                              • API String ID: 1675784387-1948079669
                                                                                                              • Opcode ID: f6d1be44cf2e44268d7afd95b077db9a3be558b3ec252d02f0fd4fc7ed4407db
                                                                                                              • Instruction ID: 22b4a0b3887aba48b6836ac3fd128682d97f720243347cd6184d65e00a263647
                                                                                                              • Opcode Fuzzy Hash: f6d1be44cf2e44268d7afd95b077db9a3be558b3ec252d02f0fd4fc7ed4407db
                                                                                                              • Instruction Fuzzy Hash: A1B1A230A00284EFDB21DF29C545B9ABBF0AF04305F1585AEE8459B792D778EE44CB5A
                                                                                                              Function 00453DA4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E8B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfileStringWrite
                                                                                                              • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                                              • API String ID: 390214022-3304407042
                                                                                                              • Opcode ID: 69f3bf86b6b830d495b8de3dd549e81b01dfda702afa7db40213f9dbbc84b83f
                                                                                                              • Instruction ID: b3c584f0f22674ad0fcc633aedcec79f77295145a47899f9a0f541d7d967d7d4
                                                                                                              • Opcode Fuzzy Hash: 69f3bf86b6b830d495b8de3dd549e81b01dfda702afa7db40213f9dbbc84b83f
                                                                                                              • Instruction Fuzzy Hash: 9191F534E001099BDF11EFA5D881BDEB7F5EF4834AF508466E900B7292D7789E49CA58
                                                                                                              Function 0047708C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 004770E5
                                                                                                              • SetWindowLongW.USER32(00000000,000000FC,00477040), ref: 0047710C
                                                                                                              • GetACP.KERNEL32(00000000,00477324,?,00000000,0047734E), ref: 00477149
                                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0047718F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassInfoLongMessageSendWindow
                                                                                                              • String ID: COMBOBOX$Inno Setup: Language
                                                                                                              • API String ID: 3391662889-4234151509
                                                                                                              • Opcode ID: 521d6e489fa1ae24faf8f78c129860c497e4f80b4a302989467673be046d20e0
                                                                                                              • Instruction ID: 5e09237f06f7ca82dbad2e96fb5083c0fe5e5e2331f930e3c55d8b81a1e05678
                                                                                                              • Opcode Fuzzy Hash: 521d6e489fa1ae24faf8f78c129860c497e4f80b4a302989467673be046d20e0
                                                                                                              • Instruction Fuzzy Hash: 67814F30A042059FCB10DF69C985A9AB7F1FB49304F9481BAEC08EB362D734AD41CB99
                                                                                                              Function 00408730 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemDefaultLCID.KERNEL32(00000000,00408978,?,?,?,?,00000000,00000000,00000000,?,0040997F,00000000,00409992), ref: 0040874A
                                                                                                                • Part of subcall function 00408578: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049C4C0,00000001,?,00408643,?,00000000,00408722), ref: 00408596
                                                                                                                • Part of subcall function 004085C4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087C6,?,?,?,00000000,00408978), ref: 004085D7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoLocale$DefaultSystem
                                                                                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                              • API String ID: 1044490935-665933166
                                                                                                              • Opcode ID: 70ae38f132fc3d3f9053d40cb900b3f5106e9b3c11c1bc8091f0af349ffabeb6
                                                                                                              • Instruction ID: 31fd29742738ad3ef4a1c8f63862b88eefe7a444323e1968e1f56601496a4ee9
                                                                                                              • Opcode Fuzzy Hash: 70ae38f132fc3d3f9053d40cb900b3f5106e9b3c11c1bc8091f0af349ffabeb6
                                                                                                              • Instruction Fuzzy Hash: 55512D74B001486BDB01FBA69D91AAE77A9DB94308F50D47FA181BB3C6CE3CDA05871D
                                                                                                              Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
                                                                                                              • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A
                                                                                                                • Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6
                                                                                                              • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6
                                                                                                                • Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0
                                                                                                              • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                              • String ID: ,$?
                                                                                                              • API String ID: 2359071979-2308483597
                                                                                                              • Opcode ID: 44383e044abff6cbf278423e894284f1520358ef4015b87050d63fd1739e3a25
                                                                                                              • Instruction ID: c427c9b06a4b8e224850f8fd68708263cabc4ba561a0b31d0e571b4226371ffb
                                                                                                              • Opcode Fuzzy Hash: 44383e044abff6cbf278423e894284f1520358ef4015b87050d63fd1739e3a25
                                                                                                              • Instruction Fuzzy Hash: 0C511774A00144ABDB10EF7ADC816EA7BF9AF08304B1185BBF914E73A6D738D941CB58
                                                                                                              Function 0041BE73 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
                                                                                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
                                                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
                                                                                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
                                                                                                              • DeleteObject.GDI32(?), ref: 0041BFAF
                                                                                                              • DeleteObject.GDI32(?), ref: 0041BFB8
                                                                                                              • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                                              • String ID:
                                                                                                              • API String ID: 1030595962-0
                                                                                                              • Opcode ID: 5a427f00feddb577fff5167fa7821d20935eac0201827996bfcfefe2a8efdbf4
                                                                                                              • Instruction ID: 04b97f25464b58ff436fe1885c4dd039914ee627ffefe5dec802ec1f9d3f819a
                                                                                                              • Opcode Fuzzy Hash: 5a427f00feddb577fff5167fa7821d20935eac0201827996bfcfefe2a8efdbf4
                                                                                                              • Instruction Fuzzy Hash: 8A510571A006199FCB14DFA9C8819EEB7F9EF48314B11442AF914E7391D738AD81CB64
                                                                                                              Function 0041CEE8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
                                                                                                              • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF2D
                                                                                                              • SelectPalette.GDI32(?,?,00000001), ref: 0041CF93
                                                                                                              • RealizePalette.GDI32(?), ref: 0041CFA2
                                                                                                              • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
                                                                                                              • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
                                                                                                              • SelectPalette.GDI32(?,?,00000001), ref: 0041D06F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                                              • String ID:
                                                                                                              • API String ID: 2222416421-0
                                                                                                              • Opcode ID: d578c5c43a151ca21ad873cc4bbf55809b48f101e43ab62b7175feda3131b2cf
                                                                                                              • Instruction ID: 901e13b734fcfe26ab98e85b677eebf668a0bb257bdc2dc03c804f52c9ec24c8
                                                                                                              • Opcode Fuzzy Hash: d578c5c43a151ca21ad873cc4bbf55809b48f101e43ab62b7175feda3131b2cf
                                                                                                              • Instruction Fuzzy Hash: 47514FB0600204AFDB14DFA9C995F9BBBF9EF08304F108599B549DB292C778ED81CB58
                                                                                                              Function 00457384 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,?,?), ref: 004573D6
                                                                                                                • Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC
                                                                                                                • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                                                                • Part of subcall function 0041EEB4: EnumThreadWindows.USER32(00000000,0041EE64,00000000), ref: 0041EF09
                                                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0045743D
                                                                                                              • TranslateMessage.USER32(?), ref: 0045745B
                                                                                                              • DispatchMessageA.USER32(?), ref: 00457464
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                                              • String ID: [Paused]
                                                                                                              • API String ID: 1007367021-4230553315
                                                                                                              • Opcode ID: 6b168901e7e1781911bc7d22981d81ae3d793b775a360e859fc7bc33357b6a45
                                                                                                              • Instruction ID: dae39b44a8721021bfcf47da434b07c1a86f758a792d2d621748dfb7f1b1fb5a
                                                                                                              • Opcode Fuzzy Hash: 6b168901e7e1781911bc7d22981d81ae3d793b775a360e859fc7bc33357b6a45
                                                                                                              • Instruction Fuzzy Hash: 47319531908248AEDB11DBB5EC41BDE7FB8DB4E314F558077E800E7292D67C9909CB69
                                                                                                              Function 0046B520 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCursor.USER32(00000000,0046B65F), ref: 0046B5DC
                                                                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 0046B5EA
                                                                                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B65F), ref: 0046B5F0
                                                                                                              • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B65F), ref: 0046B5FA
                                                                                                              • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B65F), ref: 0046B600
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$LoadSleep
                                                                                                              • String ID: CheckPassword
                                                                                                              • API String ID: 4023313301-1302249611
                                                                                                              • Opcode ID: 58e796373b9fdc746396fa9d1da2347ca5f5e20d566bce270774f79728b0c312
                                                                                                              • Instruction ID: 9215a56909f4d399359b4036adebcff7cd559b99f6583fb3c160e276e3804376
                                                                                                              • Opcode Fuzzy Hash: 58e796373b9fdc746396fa9d1da2347ca5f5e20d566bce270774f79728b0c312
                                                                                                              • Instruction Fuzzy Hash: 34318634644604AFD711EB65C889F9E7BE0EF09308F558076B9049B3A2D778AE40CB99
                                                                                                              Function 004780A8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00477FD0: GetWindowThreadProcessId.USER32(00000000), ref: 00477FD8
                                                                                                                • Part of subcall function 00477FD0: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004780CF,0049D0A8,00000000), ref: 00477FEB
                                                                                                                • Part of subcall function 00477FD0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477FF1
                                                                                                              • SendMessageA.USER32(00000000,0000004A,00000000,00478462), ref: 004780DD
                                                                                                              • GetTickCount.KERNEL32 ref: 00478122
                                                                                                              • GetTickCount.KERNEL32 ref: 0047812C
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00478181
                                                                                                              Strings
                                                                                                              • CallSpawnServer: Unexpected response: $%x, xrefs: 00478112
                                                                                                              • CallSpawnServer: Unexpected status: %d, xrefs: 0047816A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                                              • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                                              • API String ID: 613034392-3771334282
                                                                                                              • Opcode ID: c7480ea5248a76885aa581e3ee921a1a12fc6fcdeb10822e96bf497bbef75b79
                                                                                                              • Instruction ID: 23b6b6b43e2695b35219bdfabe49a415745965cef25793df2ffc6287c46841aa
                                                                                                              • Opcode Fuzzy Hash: c7480ea5248a76885aa581e3ee921a1a12fc6fcdeb10822e96bf497bbef75b79
                                                                                                              • Instruction Fuzzy Hash: 5F319334F402159ADB10EBB9898A7EEB6A4DF45314F50C03EB548EB382DA7C8D4587AD
                                                                                                              Function 0045982C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 004598E7
                                                                                                              Strings
                                                                                                              • .NET Framework CreateAssemblyCache function failed, xrefs: 0045990A
                                                                                                              • Fusion.dll, xrefs: 00459887
                                                                                                              • Failed to load .NET Framework DLL "%s", xrefs: 004598CC
                                                                                                              • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 004598F2
                                                                                                              • CreateAssemblyCache, xrefs: 004598DE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc
                                                                                                              • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                                              • API String ID: 190572456-3990135632
                                                                                                              • Opcode ID: cec796d4e13f9bbf909e1b37fee8798d7a3cd604801f0b80e840edc89de29e45
                                                                                                              • Instruction ID: f91bc12d19f1fe408be280579c06801c7313a3191b14845461a6c76c6493a406
                                                                                                              • Opcode Fuzzy Hash: cec796d4e13f9bbf909e1b37fee8798d7a3cd604801f0b80e840edc89de29e45
                                                                                                              • Instruction Fuzzy Hash: B1318470E04659ABCB01EFA5C88169EB7A8AF44315F50857EE814A7382DB389E08C799
                                                                                                              Function 0041C158 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065
                                                                                                              • GetFocus.USER32 ref: 0041C178
                                                                                                              • GetDC.USER32(?), ref: 0041C184
                                                                                                              • SelectPalette.GDI32(?,?,00000000), ref: 0041C1A5
                                                                                                              • RealizePalette.GDI32(?), ref: 0041C1B1
                                                                                                              • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
                                                                                                              • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1F0
                                                                                                              • ReleaseDC.USER32(?,?), ref: 0041C1FD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 3303097818-0
                                                                                                              • Opcode ID: 7919d48a5b742b990554a8e16781250233d38a1b512c062c402771df9818cd79
                                                                                                              • Instruction ID: 8ccc34f866771a30a1661531480aea9d283d3c3e19187e20a9e7c35f18d949ed
                                                                                                              • Opcode Fuzzy Hash: 7919d48a5b742b990554a8e16781250233d38a1b512c062c402771df9818cd79
                                                                                                              • Instruction Fuzzy Hash: 45112C71A40609BBDB10DBE9DC85FAFB7FCEB48700F54446AB514E7281D67899408B68
                                                                                                              Function 00418C64 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(0000000E), ref: 00418C80
                                                                                                              • GetSystemMetrics.USER32(0000000D), ref: 00418C88
                                                                                                              • 6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E
                                                                                                                • Part of subcall function 00410808: 6F52C400.COMCTL32(0049C628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0041080C
                                                                                                              • 6F59CB00.COMCTL32(0049C628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
                                                                                                              • 6F59C740.COMCTL32(00000000,?,0049C628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
                                                                                                              • 6F59CB00.COMCTL32(0049C628,00000001,?,?,00000000,?,0049C628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
                                                                                                              • 6F530860.COMCTL32(0049C628,00418D1F,?,00000000,?,0049C628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MetricsSystem$C400C740F530860F532980
                                                                                                              • String ID:
                                                                                                              • API String ID: 209721339-0
                                                                                                              • Opcode ID: ea814aff01982a735542cfcaa5f2d759ebf4f13d0bc11ea9e85cdf93c4d7c833
                                                                                                              • Instruction ID: 86feed5bc36cb920ea04fcbc52f338b48e1a9a04039637533027038eb31c68aa
                                                                                                              • Opcode Fuzzy Hash: ea814aff01982a735542cfcaa5f2d759ebf4f13d0bc11ea9e85cdf93c4d7c833
                                                                                                              • Instruction Fuzzy Hash: 43114975B44304BBEB10FBA5DC83F9D73B9DB48704F6040A6B604EB2D1DAB99D808758
                                                                                                              Function 00484150 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00484208), ref: 004841ED
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                                              • API String ID: 47109696-2530820420
                                                                                                              • Opcode ID: 175cbca803adff72b6f31b0ab826ba1636993e1de56de7a73ad1c8f74136b4de
                                                                                                              • Instruction ID: c07cac4acaa77b59f2fcd2c5e8c20c92fe22663a7df472bca0d1e55dfbcce728
                                                                                                              • Opcode Fuzzy Hash: 175cbca803adff72b6f31b0ab826ba1636993e1de56de7a73ad1c8f74136b4de
                                                                                                              • Instruction Fuzzy Hash: 81119334B082059AD700F7A69C0AB5E7BE8DBA5348F6148B7B800E7281E778AE41C71C
                                                                                                              Function 0041B472 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                                                              • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                                                              • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ObjectSelect$Delete$Stretch
                                                                                                              • String ID:
                                                                                                              • API String ID: 1458357782-0
                                                                                                              • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                              • Instruction ID: ae96c6176d6eb3f3494de580be991e563f9897aa79c0ee3e7df45ff247fef712
                                                                                                              • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                              • Instruction Fuzzy Hash: 89115C72F44619ABDB10DADDD886FEFB7BCEB08704F044455B614F7282C678AD418BA8
                                                                                                              Function 00495BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 00495BF1
                                                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00495C13
                                                                                                              • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00496191), ref: 00495C27
                                                                                                              • GetTextMetricsA.GDI32(00000000,?), ref: 00495C49
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00495C66
                                                                                                              Strings
                                                                                                              • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495C1E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                                              • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                                              • API String ID: 2948443157-222967699
                                                                                                              • Opcode ID: 34d9b8c6e0926a644222171ae738b9a92d766e6739e8c0773c4b1cb47b325552
                                                                                                              • Instruction ID: 6d86e16e7996164c3d99a70d64bcdfbf35cb9465fd6ee9b2fa75eb6a08a4ab21
                                                                                                              • Opcode Fuzzy Hash: 34d9b8c6e0926a644222171ae738b9a92d766e6739e8c0773c4b1cb47b325552
                                                                                                              • Instruction Fuzzy Hash: 05016176A04709ABDB05DBA98C41E5FB7ECDB49704F21047ABA00E7691D678AE008B28
                                                                                                              Function 004233A4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCursorPos.USER32 ref: 004233BF
                                                                                                              • WindowFromPoint.USER32(?,?), ref: 004233CC
                                                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 004233E1
                                                                                                              • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
                                                                                                              • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
                                                                                                              • SetCursor.USER32(00000000), ref: 00423423
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1770779139-0
                                                                                                              • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                              • Instruction ID: 0489214c39e5746bc568676ade8a3ee1219ea943f6d585d977b545401c7ee2ca
                                                                                                              • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                              • Instruction Fuzzy Hash: 2001D42230562036D6217B795C86E2F22A8CB85B65F50447FB645BB283D93D8C00537D
                                                                                                              Function 00495A04 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 00495A14
                                                                                                              • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495A21
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495A2E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModule
                                                                                                              • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                                              • API String ID: 667068680-2254406584
                                                                                                              • Opcode ID: 3c8b88976e6e67713f1e6fb0365be4ac33276af7b519073db6005e1fda00490b
                                                                                                              • Instruction ID: 6bb6bd91ed17cc43c826bdde37d3733eb090f1301ce7563d8f1f25412fa62683
                                                                                                              • Opcode Fuzzy Hash: 3c8b88976e6e67713f1e6fb0365be4ac33276af7b519073db6005e1fda00490b
                                                                                                              • Instruction Fuzzy Hash: 0AF0F6A2B42F1526DA1161760CC1B7F698CCF81760F680237BD45A7382E96C8D0543AD
                                                                                                              Function 0045D730 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D739
                                                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D749
                                                                                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D759
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc
                                                                                                              • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                                              • API String ID: 190572456-212574377
                                                                                                              • Opcode ID: 575c4cb06a2452c1401fa841c1313ffc0221effe76d11e7dd1aabe4620aafca8
                                                                                                              • Instruction ID: 6c96be05a1394ea18707f7eb6152f5503904c11dec58d168239e3d414ffdbae6
                                                                                                              • Opcode Fuzzy Hash: 575c4cb06a2452c1401fa841c1313ffc0221effe76d11e7dd1aabe4620aafca8
                                                                                                              • Instruction Fuzzy Hash: 6FF0D0B0D00600DFE724EF369C8672736D5ABA871EF54943BA9499526AD778084ECE1C
                                                                                                              Function 0042EA2C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,0049A934,00457299,0045763C,004571F0,00000000,00000B06,00000000,00000000,00000000,00000002,00000000,004817AB), ref: 0042EA45
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA4B
                                                                                                              • InterlockedExchange.KERNEL32(0049C668,00000001), ref: 0042EA5C
                                                                                                                • Part of subcall function 0042E9BC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,0049A934,00457299,0045763C,004571F0,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042E9D2
                                                                                                                • Part of subcall function 0042E9BC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
                                                                                                                • Part of subcall function 0042E9BC: InterlockedExchange.KERNEL32(0049C660,00000001), ref: 0042E9E9
                                                                                                              • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,0049A934,00457299,0045763C,004571F0,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EA70
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                                              • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                                              • API String ID: 142928637-2676053874
                                                                                                              • Opcode ID: 1a4120a275a7a58fb50942f7be9802eb4510f593f9b94c8c2bcf046027c2ff71
                                                                                                              • Instruction ID: ee3a30ffd41cbbfe6d6edcae89b7e54a60ed140ac131bcc27b6a733ad903a47d
                                                                                                              • Opcode Fuzzy Hash: 1a4120a275a7a58fb50942f7be9802eb4510f593f9b94c8c2bcf046027c2ff71
                                                                                                              • Instruction Fuzzy Hash: 7FE06DA1741620BAEA10B7B66CC6FAA2668AB18B19F50103BF100A51D1C2BD0C80CA5D
                                                                                                              Function 0044C850 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F0FD), ref: 0044C85F
                                                                                                              • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C870
                                                                                                              • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C880
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                                              • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                                              • API String ID: 2238633743-1050967733
                                                                                                              • Opcode ID: 09135f5945541ae78a6af7b678b7c17e974eae42bf5bb0e3fde62042262af164
                                                                                                              • Instruction ID: 3dac3c94951c3f326fc139052019a1d9618f5d358237ac6f028f958aa2bdce3c
                                                                                                              • Opcode Fuzzy Hash: 09135f5945541ae78a6af7b678b7c17e974eae42bf5bb0e3fde62042262af164
                                                                                                              • Instruction Fuzzy Hash: E6F01CB02823068BF750BBB1ECC5B263294E76570AF18117BA001A62E2D7BD4888CF1C
                                                                                                              Function 0047905C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,004992FC), ref: 00479062
                                                                                                              • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047906F
                                                                                                              • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047907F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$HandleModule
                                                                                                              • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                                              • API String ID: 667068680-222143506
                                                                                                              • Opcode ID: f2527f3e8acae3901293ffe8f3822438352d858e28b091300cd7299335f6a370
                                                                                                              • Instruction ID: fd16aae75e34d792cc346ba171bb4a4eccdb771972da16ee3cf818c899e4fb82
                                                                                                              • Opcode Fuzzy Hash: f2527f3e8acae3901293ffe8f3822438352d858e28b091300cd7299335f6a370
                                                                                                              • Instruction Fuzzy Hash: F3C012F0A50740E9DA00B7B11CC3E7B256CD540B28720803B748D75183D57C0C044F3C
                                                                                                              Function 0041B67C Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFocus.USER32 ref: 0041B755
                                                                                                              • GetDC.USER32(?), ref: 0041B761
                                                                                                              • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B796
                                                                                                              • RealizePalette.GDI32(00000000), ref: 0041B7A2
                                                                                                              • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7D0
                                                                                                              • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B804
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                              • String ID:
                                                                                                              • API String ID: 3275473261-0
                                                                                                              • Opcode ID: c0b27d3b7a66d9be5bed6a7f47b95188f2d45c1e9081e04c5e1905c96dbfd583
                                                                                                              • Instruction ID: a2c5ddb66569cb6b77bb8b351ce757b8a6afb07cbb9f01b77a2eee85226ebd67
                                                                                                              • Opcode Fuzzy Hash: c0b27d3b7a66d9be5bed6a7f47b95188f2d45c1e9081e04c5e1905c96dbfd583
                                                                                                              • Instruction Fuzzy Hash: BB512F74A00208DFCB11DFA9C855AEEBBB9FF49704F104066F504A7390D7789981CBA9
                                                                                                              Function 0041B94C Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFocus.USER32 ref: 0041BA27
                                                                                                              • GetDC.USER32(?), ref: 0041BA33
                                                                                                              • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA6D
                                                                                                              • RealizePalette.GDI32(00000000), ref: 0041BA79
                                                                                                              • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA9D
                                                                                                              • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAD1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                              • String ID:
                                                                                                              • API String ID: 3275473261-0
                                                                                                              • Opcode ID: 2ce40bb40bbcf4fda08707fe581e59aceef162c3ea3b02671fd4d2ee797de512
                                                                                                              • Instruction ID: 9811d2e4aff7790a224b19fb8c07a8c8a8d7caa6f03daf8ca787c0bc2bb5238d
                                                                                                              • Opcode Fuzzy Hash: 2ce40bb40bbcf4fda08707fe581e59aceef162c3ea3b02671fd4d2ee797de512
                                                                                                              • Instruction Fuzzy Hash: 48512974A002189FCB11DFA9C891AAEBBF9FF48700F15806AF504EB751D7789D40CBA4
                                                                                                              Function 0041B518 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFocus.USER32 ref: 0041B58E
                                                                                                              • GetDC.USER32(?), ref: 0041B59A
                                                                                                              • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5B6
                                                                                                              • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5D3
                                                                                                              • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5EA
                                                                                                              • ReleaseDC.USER32(?,?), ref: 0041B636
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 2502006586-0
                                                                                                              • Opcode ID: 93cc6d3c32f59bb0d3866a424ed22eeeeb8d669c97e98ac0717914e792a0e722
                                                                                                              • Instruction ID: 54132ba296c0afcfcf6bcc6108250e3b4accff89e00e7de8f4d517709d1e9298
                                                                                                              • Opcode Fuzzy Hash: 93cc6d3c32f59bb0d3866a424ed22eeeeb8d669c97e98ac0717914e792a0e722
                                                                                                              • Instruction Fuzzy Hash: CF41D571A04258AFCB10DFA9C885A9FBBB4EF55704F1484AAF500EB351D3389D11CBA5
                                                                                                              Function 0045D0F4 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetLastError.KERNEL32(00000057,00000000,0045D1C0,?,?,?,?,00000000), ref: 0045D15F
                                                                                                              • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D22C,?,00000000,0045D1C0,?,?,?,?,00000000), ref: 0045D19E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                                              • API String ID: 1452528299-1580325520
                                                                                                              • Opcode ID: e5d6d334a763e1cbb8f1666fe6de59715d05f57489b5bab2b54e19ba110a4e8d
                                                                                                              • Instruction ID: 7b2924e434c2d2a6e8a64b45c898520acf8211660a530507fefc98e5318dd698
                                                                                                              • Opcode Fuzzy Hash: e5d6d334a763e1cbb8f1666fe6de59715d05f57489b5bab2b54e19ba110a4e8d
                                                                                                              • Instruction Fuzzy Hash: C911D535A04A04AFDB31DEA1C941A9E76ADDF44306F6040777C00A2783D63C9F0AD52E
                                                                                                              Function 0041BD9C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
                                                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
                                                                                                              • GetDC.USER32(00000000), ref: 0041BDF9
                                                                                                              • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE20
                                                                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE2D
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041BE66
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CapsDeviceMetricsSystem$Release
                                                                                                              • String ID:
                                                                                                              • API String ID: 447804332-0
                                                                                                              • Opcode ID: e7ae0f99dd269f353d7b7641ed485f387b8aeae4be2e5651bec5d04fa653b95a
                                                                                                              • Instruction ID: e886330f15f7a5316131e86c26d6fb078e3572472e198ea0fe97a07bc4f3c0b5
                                                                                                              • Opcode Fuzzy Hash: e7ae0f99dd269f353d7b7641ed485f387b8aeae4be2e5651bec5d04fa653b95a
                                                                                                              • Instruction Fuzzy Hash: 54212A74E04748AFEB00EFA9C942BEEB7B4EB48714F10842AF514B7781D7785940CBA9
                                                                                                              Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0049C420,00000000,00401B68), ref: 00401ABD
                                                                                                              • LocalFree.KERNEL32(00898EE8,00000000,00401B68), ref: 00401ACF
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,00898EE8,00000000,00401B68), ref: 00401AEE
                                                                                                              • LocalFree.KERNEL32(00899EE8,?,00000000,00008000,00898EE8,00000000,00401B68), ref: 00401B2D
                                                                                                              • RtlLeaveCriticalSection.KERNEL32(0049C420,00401B6F), ref: 00401B58
                                                                                                              • RtlDeleteCriticalSection.KERNEL32(0049C420,00401B6F), ref: 00401B62
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 3782394904-0
                                                                                                              • Opcode ID: 881435858a3df7288aae927e3c0e93e2fd7e3e12d101c835c3d014fcf42cc859
                                                                                                              • Instruction ID: ece8596464e12e4b83b5bd96c0fd07c419ca8ccd111934747786d766a0fa6b25
                                                                                                              • Opcode Fuzzy Hash: 881435858a3df7288aae927e3c0e93e2fd7e3e12d101c835c3d014fcf42cc859
                                                                                                              • Instruction Fuzzy Hash: AC119D30B403405BEB15ABA59CE2B363BE4A765708F94007BF40067AF1D67C984087AE
                                                                                                              Function 0047EBDC Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047EBEA
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CE49), ref: 0047EC10
                                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0047EC20
                                                                                                              • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047EC41
                                                                                                              • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047EC55
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047EC71
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Long$Show
                                                                                                              • String ID:
                                                                                                              • API String ID: 3609083571-0
                                                                                                              • Opcode ID: 5cd40674e0b8a30ca8b6933e71840c0df1b24ef64ec96d3901f5dc784d2e9b41
                                                                                                              • Instruction ID: c412bc1a630f4fb8f5d2bcb23b9cdd23b166c0171215975471963c460da52ad8
                                                                                                              • Opcode Fuzzy Hash: 5cd40674e0b8a30ca8b6933e71840c0df1b24ef64ec96d3901f5dc784d2e9b41
                                                                                                              • Instruction Fuzzy Hash: 13014CB6651210AFD710DB69CE85F2637D8AB0D330F0946A6B549EF2E3C228DC408B08
                                                                                                              Function 0041B280 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B
                                                                                                              • UnrealizeObject.GDI32(00000000), ref: 0041B28C
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0041B29E
                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2C1
                                                                                                              • SetBkMode.GDI32(?,00000002), ref: 0041B2CC
                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 0041B2E7
                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0041B2F2
                                                                                                                • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                              • String ID:
                                                                                                              • API String ID: 3527656728-0
                                                                                                              • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                              • Instruction ID: f7789479bb42d6d63a82e92436423a6fea40f6b6a905c0023d8cad956bbacbbe
                                                                                                              • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                              • Instruction Fuzzy Hash: BAF072B56015019BDE00FFBAD9CAE4B77989F043097088457B944DF197C97DD8548B3D
                                                                                                              Function 00498434 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                              • ShowWindow.USER32(?,00000005,00000000,00498699,?,?,00000000), ref: 0049846A
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                                • Part of subcall function 004072B8: SetCurrentDirectoryA.KERNEL32(00000000,?,00498492,00000000,00498665,?,?,00000005,00000000,00498699,?,?,00000000), ref: 004072C3
                                                                                                                • Part of subcall function 0042D45C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4EA,?,?,?,00000001,?,00456126,00000000,0045618E), ref: 0042D491
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                                              • String ID: .dat$.msg$IMsg$Uninstall
                                                                                                              • API String ID: 3312786188-1660910688
                                                                                                              • Opcode ID: 9dccf75c53f7f3cca1dc1e45017c6a23ce3ff908e08cd1c52ac55b79a990f213
                                                                                                              • Instruction ID: 94d9a00f42835dc9211730c265b92997509a8ce46d72803125f61036d3c10121
                                                                                                              • Opcode Fuzzy Hash: 9dccf75c53f7f3cca1dc1e45017c6a23ce3ff908e08cd1c52ac55b79a990f213
                                                                                                              • Instruction Fuzzy Hash: 22315574A00114AFCB00FF69DC52D9EBBB5EB49318F51847AF810AB751DB39AD04CB58
                                                                                                              Function 0042EAB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EAEA
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAF0
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB19
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                                              • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                                              • API String ID: 828529508-2866557904
                                                                                                              • Opcode ID: d7b5e8f06d25cf2e82843ddd2a686aee5f6cfebd975f7e169ae89c51933d11b0
                                                                                                              • Instruction ID: 8013201a01c1a3ce4b1282a4ea415291a3823007c30eea77c81bb12cf145ddb4
                                                                                                              • Opcode Fuzzy Hash: d7b5e8f06d25cf2e82843ddd2a686aee5f6cfebd975f7e169ae89c51933d11b0
                                                                                                              • Instruction Fuzzy Hash: 34F0C8D174066137E620A57F9C83F6B598C8F94759F140436F109E62C1D96C9905426E
                                                                                                              Function 004580A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004580D0
                                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 004580F1
                                                                                                              • CloseHandle.KERNEL32(?,00458124), ref: 00458117
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                                              • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                                              • API String ID: 2573145106-3235461205
                                                                                                              • Opcode ID: 48654442b45b242062e68cf3d97dab4c0ed917fb54e1286c856b08e600caecae
                                                                                                              • Instruction ID: eff4a35bea7a62289d80d9c26220f44f895e3d9a2531d43f7f7dfd5bd268873c
                                                                                                              • Opcode Fuzzy Hash: 48654442b45b242062e68cf3d97dab4c0ed917fb54e1286c856b08e600caecae
                                                                                                              • Instruction Fuzzy Hash: C401A230600604AFDB10EBA98C42E2E73A8EB49755F10457ABC10E73C3EE389D059B18
                                                                                                              Function 0042E9BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA80,00000004,0049A934,00457299,0045763C,004571F0,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042E9D2
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9D8
                                                                                                              • InterlockedExchange.KERNEL32(0049C660,00000001), ref: 0042E9E9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                              • API String ID: 3478007392-2498399450
                                                                                                              • Opcode ID: 29e3fe99fd39411a87420eaca3bfaa87a3f8c8d91b56c7102c175830130eccb1
                                                                                                              • Instruction ID: c49eaaa8fdb071360f38502b50e3c23bad510ecb3814e64996c12b789333cacc
                                                                                                              • Opcode Fuzzy Hash: 29e3fe99fd39411a87420eaca3bfaa87a3f8c8d91b56c7102c175830130eccb1
                                                                                                              • Instruction Fuzzy Hash: 78E0ECB1740314AAEA10AB62AECBF662558AB24F19F902437F101B51E2C7FC0C84C92D
                                                                                                              Function 00477FD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00477FD8
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004780CF,0049D0A8,00000000), ref: 00477FEB
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477FF1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                                              • String ID: AllowSetForegroundWindow$user32.dll
                                                                                                              • API String ID: 1782028327-3855017861
                                                                                                              • Opcode ID: 4365f07802c1d4a062b6a547225ad7893818e73781abac978e1d5f5c77ef267c
                                                                                                              • Instruction ID: f8b3738cd9567d8133e7bb9c55c493c63169bafd132c11812e06eb582868bf74
                                                                                                              • Opcode Fuzzy Hash: 4365f07802c1d4a062b6a547225ad7893818e73781abac978e1d5f5c77ef267c
                                                                                                              • Instruction Fuzzy Hash: 92D0C7B168074165D95073B54D4EF9F225C9A4471C715C83FB548E2185DE7CD809457D
                                                                                                              Function 00416C3C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • BeginPaint.USER32(00000000,?), ref: 00416C62
                                                                                                              • SaveDC.GDI32(?), ref: 00416C93
                                                                                                              • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
                                                                                                              • RestoreDC.GDI32(?,?), ref: 00416D1B
                                                                                                              • EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                              • String ID:
                                                                                                              • API String ID: 3808407030-0
                                                                                                              • Opcode ID: 6e943c95b49c6f236292f7e3f4c968b2c26fc47392d5a45f7d0b8c39400a8a14
                                                                                                              • Instruction ID: fd6e93c78d11005d9ba704e8aa7896ba8bfa997e2438936ed7ae042a7726967b
                                                                                                              • Opcode Fuzzy Hash: 6e943c95b49c6f236292f7e3f4c968b2c26fc47392d5a45f7d0b8c39400a8a14
                                                                                                              • Instruction Fuzzy Hash: 67411C70A04204AFDB04DB99D985FAAB7F9FF48304F1680AEE4059B362D778ED45CB58
                                                                                                              Function 00414810 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                                              • Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
                                                                                                              • Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                                                              • Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19
                                                                                                              Function 004297DC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
                                                                                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
                                                                                                              • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
                                                                                                              • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
                                                                                                              • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 3850602802-0
                                                                                                              • Opcode ID: 37c779b953a04f4a12efe840b5dae96d6b1eda754ba999e5db1c97090b84cbca
                                                                                                              • Instruction ID: 3a43d17cedf841754d2741ff269161da15bdaac6ac028e7563c87cbc4d8d060b
                                                                                                              • Opcode Fuzzy Hash: 37c779b953a04f4a12efe840b5dae96d6b1eda754ba999e5db1c97090b84cbca
                                                                                                              • Instruction Fuzzy Hash: 87219D707507057AE710BB66CC82F5B76ECEB41708F94043EB541AB2D2DF78AD41861C
                                                                                                              Function 0041BBC8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
                                                                                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
                                                                                                              • GetDC.USER32(00000000), ref: 0041BC22
                                                                                                              • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC69
                                                                                                              • DeleteObject.GDI32(00000000), ref: 0041BCAA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                                              • String ID:
                                                                                                              • API String ID: 1095203571-0
                                                                                                              • Opcode ID: 6e5f92cac6927d4c8622965cf5499bf0577c4e8cc05c04df1912703be0f6a612
                                                                                                              • Instruction ID: c69e797babd58ff3ff02391fbdd927ad6b6ed61c45feb1cc22c7e7fbd0aaf132
                                                                                                              • Opcode Fuzzy Hash: 6e5f92cac6927d4c8622965cf5499bf0577c4e8cc05c04df1912703be0f6a612
                                                                                                              • Instruction Fuzzy Hash: BA314F74E00209EFDB04DFA5CA41AAEB7F5EB48700F1185AAF514AB381D7789E40DB98
                                                                                                              Function 00473A14 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0045D0F4: SetLastError.KERNEL32(00000057,00000000,0045D1C0,?,?,?,?,00000000), ref: 0045D15F
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00473AE8,?,?,0049D1E0,00000000), ref: 00473AA1
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00473AE8,?,?,0049D1E0,00000000), ref: 00473AB7
                                                                                                              Strings
                                                                                                              • Could not set permissions on the registry key because it currently does not exist., xrefs: 00473AAB
                                                                                                              • Setting permissions on registry key: %s\%s, xrefs: 00473A66
                                                                                                              • Failed to set permissions on registry key (%d)., xrefs: 00473AC8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                                              • API String ID: 1452528299-4018462623
                                                                                                              • Opcode ID: 4607364518860baa8c25b99786c39b8e95e77fc7ad03eb8564835eea2eb2ed49
                                                                                                              • Instruction ID: 0b47f7c1dfc919aadf9eca7aecddead5c0e22d63d641398338859fb193043b06
                                                                                                              • Opcode Fuzzy Hash: 4607364518860baa8c25b99786c39b8e95e77fc7ad03eb8564835eea2eb2ed49
                                                                                                              • Instruction Fuzzy Hash: 29219570A042445FCB10DFA9D8426EEBBE8EF49315F50817BE448E7392D7785E05CBA9
                                                                                                              Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharMultiWide$AllocString
                                                                                                              • String ID:
                                                                                                              • API String ID: 262959230-0
                                                                                                              • Opcode ID: 353a0757e9fd9d11b623670cfd803f5b8829311614747a855f6672fd601e9639
                                                                                                              • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                                              • Opcode Fuzzy Hash: 353a0757e9fd9d11b623670cfd803f5b8829311614747a855f6672fd601e9639
                                                                                                              • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                                              Function 004143F0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414429
                                                                                                              • RealizePalette.GDI32(00000000), ref: 00414431
                                                                                                              • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414445
                                                                                                              • RealizePalette.GDI32(00000000), ref: 0041444B
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00414456
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Palette$RealizeSelect$Release
                                                                                                              • String ID:
                                                                                                              • API String ID: 2261976640-0
                                                                                                              • Opcode ID: c27572ba3b318a97157e2ff630850643e717ce291e632f808275401916b3f835
                                                                                                              • Instruction ID: 45e707893e7549553209a356c9d37de8c9d5e61d21803148832d8e75357fff83
                                                                                                              • Opcode Fuzzy Hash: c27572ba3b318a97157e2ff630850643e717ce291e632f808275401916b3f835
                                                                                                              • Instruction Fuzzy Hash: 6B01D47120C3806AD600A63D8C85A9F6BEC8FC6318F05946EF584DB3C2C979C8008761
                                                                                                              Function 00406FB4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407013
                                                                                                              • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040708D
                                                                                                              • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070E5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Enum$NameOpenResourceUniversal
                                                                                                              • String ID: Z
                                                                                                              • API String ID: 3604996873-1505515367
                                                                                                              • Opcode ID: 33049c7ea11c30121095e337e56ababc2e5377dae656412ba48cd4e8f0b87484
                                                                                                              • Instruction ID: bcee853a6b72702f38c87c8f124e100014cbe8ba86cd5f63ed9636da07a90c42
                                                                                                              • Opcode Fuzzy Hash: 33049c7ea11c30121095e337e56ababc2e5377dae656412ba48cd4e8f0b87484
                                                                                                              • Instruction Fuzzy Hash: 1C515170E042089FDB15DF65C941A9EBBB9EF09304F1081BAE900BB3D1D778AE458F5A
                                                                                                              Function 0044D034 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetRectEmpty.USER32(?), ref: 0044D0C2
                                                                                                              • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D0ED
                                                                                                              • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D175
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DrawText$EmptyRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 182455014-2867612384
                                                                                                              • Opcode ID: 6196a861e208648b27b20abb2373d7b11b2b7b03d09eecf030d190a78f0ec511
                                                                                                              • Instruction ID: 523be4b6c2791812100f8c37f9dfaf26ef338fc18bb75760613781b343a57c3a
                                                                                                              • Opcode Fuzzy Hash: 6196a861e208648b27b20abb2373d7b11b2b7b03d09eecf030d190a78f0ec511
                                                                                                              • Instruction Fuzzy Hash: 5E516170E00248AFEB11DFA9C885BDEBBF9BF49304F14447AE845EB252D7789944CB64
                                                                                                              Function 0042EFD4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 0042EFFE
                                                                                                                • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0042F021
                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 0042F100
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                                              • String ID: ...\
                                                                                                              • API String ID: 3133960002-983595016
                                                                                                              • Opcode ID: c0d9c5121ec3aa9e9e44613710b25e7259c00030b0a3b9e9a82ef93a81d8c198
                                                                                                              • Instruction ID: fc9511131d6b73f8b5d25d5b58e31b0db863437dcfa52910c3569242d90b8927
                                                                                                              • Opcode Fuzzy Hash: c0d9c5121ec3aa9e9e44613710b25e7259c00030b0a3b9e9a82ef93a81d8c198
                                                                                                              • Instruction Fuzzy Hash: C6316370B00128ABDB11DF96D841BAEB7F8EB48704FD1447BF410A7292D7785E45CA59
                                                                                                              Function 00453930 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004974F9,_iu,?,00000000,00453A6A), ref: 00453A1F
                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004974F9,_iu,?,00000000,00453A6A), ref: 00453A2F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateFileHandle
                                                                                                              • String ID: .tmp$_iu
                                                                                                              • API String ID: 3498533004-10593223
                                                                                                              • Opcode ID: f4bf8c45f7033f3331564d27c18b43533cfc8535b408c23d1883a19ba3932c6e
                                                                                                              • Instruction ID: b5244aac63c968e20baa0947e479141d383441796118bbd3b2ad3f6bf7aa4b2b
                                                                                                              • Opcode Fuzzy Hash: f4bf8c45f7033f3331564d27c18b43533cfc8535b408c23d1883a19ba3932c6e
                                                                                                              • Instruction Fuzzy Hash: 94319770E40149ABCB01EFA5C942B9EFBB5AF44349F60447AF840B72C2D7785F058A99
                                                                                                              Function 00416420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                                                              • UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                                                              • RegisterClassA.USER32(?), ref: 004164DE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Class$InfoRegisterUnregister
                                                                                                              • String ID: @
                                                                                                              • API String ID: 3749476976-2766056989
                                                                                                              • Opcode ID: f63e7bba2927d9b20c5332474012c1eec1724a49959d6227c5091a8278f22a45
                                                                                                              • Instruction ID: 0582e4decd83047b7d259989b1a1a5a7d11b83513a4c29c925389085b8c31041
                                                                                                              • Opcode Fuzzy Hash: f63e7bba2927d9b20c5332474012c1eec1724a49959d6227c5091a8278f22a45
                                                                                                              • Instruction Fuzzy Hash: 9E316F706042409BD720EF68C881B9B77E5AB85308F04457FF989DB396DB39D984CB6A
                                                                                                              Function 004988E8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesA.KERNEL32(00000000,00499238,00000000,004989DE,?,?,00000000,0049C628), ref: 00498958
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00499238,00000000,004989DE,?,?,00000000,0049C628), ref: 00498981
                                                                                                              • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0049899A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Attributes$Move
                                                                                                              • String ID: isRS-%.3u.tmp
                                                                                                              • API String ID: 3839737484-3657609586
                                                                                                              • Opcode ID: 481a7bc48378292d0d9514443bc536ceeed31eb1900f78afcde6c41445521250
                                                                                                              • Instruction ID: b5053b6e7fa7181d8d55ffb0211e93ede9ed2a916a95833b3805d60610295bd2
                                                                                                              • Opcode Fuzzy Hash: 481a7bc48378292d0d9514443bc536ceeed31eb1900f78afcde6c41445521250
                                                                                                              • Instruction Fuzzy Hash: 1D2158B1D00159AFDF01DFA9C8819BFBBB8EB55314F11453FB414B72D1DA389E018A5A
                                                                                                              Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                                              • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExitMessageProcess
                                                                                                              • String ID: Error$Runtime error at 00000000
                                                                                                              • API String ID: 1220098344-2970929446
                                                                                                              • Opcode ID: d2d2115462cf46c609d5747887fa32ed032da6f71deecf4a39b0bc855ac853b0
                                                                                                              • Instruction ID: fb75bd3449ddbba25be9859e6e9cdae11be236df4b8f13ef698ff7f8a35764cd
                                                                                                              • Opcode Fuzzy Hash: d2d2115462cf46c609d5747887fa32ed032da6f71deecf4a39b0bc855ac853b0
                                                                                                              • Instruction Fuzzy Hash: 5E215360B44241CBEB11ABB5ACC17263B9197E5348F048177E740B73E2C67C9D5587AE
                                                                                                              Function 00456CA4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042C814: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C838
                                                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                              • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456CF8
                                                                                                              • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456D25
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                                              • String ID: LoadTypeLib$RegisterTypeLib
                                                                                                              • API String ID: 1312246647-2435364021
                                                                                                              • Opcode ID: f0fa4eb5ebe45c922c3dc586aac30000597ac91e8294356b8a9e27c423337520
                                                                                                              • Instruction ID: e26b8d5a5ba7491cefd4e72126217f2167f7f2a36d46249135fbb0ec9729d1e1
                                                                                                              • Opcode Fuzzy Hash: f0fa4eb5ebe45c922c3dc586aac30000597ac91e8294356b8a9e27c423337520
                                                                                                              • Instruction Fuzzy Hash: 55119670B00608BFDB11EFA6CD51A5EB7FDEB89705B518876F804D3652DA3C9D18CA24
                                                                                                              Function 004571FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00457216
                                                                                                              • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 004572B3
                                                                                                              Strings
                                                                                                              • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457242
                                                                                                              • Failed to create DebugClientWnd, xrefs: 0045727C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                                              • API String ID: 3850602802-3720027226
                                                                                                              • Opcode ID: 9a46964b4fb996960123dd022ea41504470fc605069612a01803a2fa065a410b
                                                                                                              • Instruction ID: b5c581551a88cbf950d7fc36a96106bfa88ed205bfa31746cca5d2dcd4d7a39c
                                                                                                              • Opcode Fuzzy Hash: 9a46964b4fb996960123dd022ea41504470fc605069612a01803a2fa065a410b
                                                                                                              • Instruction Fuzzy Hash: 4A1123706082406BE710AB699C81B4F7B989B59319F04447BF984DF383D7788849CBAE
                                                                                                              Function 00478B28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                                                              • GetFocus.USER32 ref: 00478B93
                                                                                                              • GetKeyState.USER32(0000007A), ref: 00478BA5
                                                                                                              • WaitMessage.USER32(?,00000000,00478BCC,?,00000000,00478BF3,?,?,00000001,00000000,?,?,00480889,00000000,004817AB), ref: 00478BAF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FocusMessageStateTextWaitWindow
                                                                                                              • String ID: Wnd=$%x
                                                                                                              • API String ID: 1381870634-2927251529
                                                                                                              • Opcode ID: 56ac62ba261c13ec75de75e3b0b9d956a03bf57f73efdd15721ffc7da14054af
                                                                                                              • Instruction ID: dc81ccc12ba5f0d8980b62dc3576adf4111e854ad11f41bc8ce465a24b65dd47
                                                                                                              • Opcode Fuzzy Hash: 56ac62ba261c13ec75de75e3b0b9d956a03bf57f73efdd15721ffc7da14054af
                                                                                                              • Instruction Fuzzy Hash: 3711A370644249AFCB01EF65DC45A9E7BB8EB4D314B5184BEF408E7281DB7CAE00CA69
                                                                                                              Function 0046E808 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E810
                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E81F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Time$File$LocalSystem
                                                                                                              • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                                              • API String ID: 1748579591-1013271723
                                                                                                              • Opcode ID: afc27b9defac450e26b0986b5fbe5a1bdb65cc68f7403b26db70cd1c163db108
                                                                                                              • Instruction ID: 1109e0a0549d5184889796f6d95c1db6af1f7efe6b7ed272276b3322b0c95b1e
                                                                                                              • Opcode Fuzzy Hash: afc27b9defac450e26b0986b5fbe5a1bdb65cc68f7403b26db70cd1c163db108
                                                                                                              • Instruction Fuzzy Hash: 1111F5A440C3909ED340DF2AC44032FBAE4AB89704F44496EF9C8D7381E779C948DBA7
                                                                                                              Function 00453FEA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453FF7
                                                                                                                • Part of subcall function 00406F60: DeleteFileA.KERNEL32(00000000,0049C628,00498DC9,00000000,00498E1E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F6B
                                                                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 0045401C
                                                                                                                • Part of subcall function 00453510: GetLastError.KERNEL32(00000000,004540A5,00000005,00000000,004540DA,?,?,00000000,0049C628,00000004,00000000,00000000,00000000,?,00498A7D,00000000), ref: 00453513
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$AttributesDeleteErrorLastMove
                                                                                                              • String ID: DeleteFile$MoveFile
                                                                                                              • API String ID: 3024442154-139070271
                                                                                                              • Opcode ID: e6ecb1dbfe451e73ced23eeeb408c191c9d173acb1a016d6f6abe8d636493956
                                                                                                              • Instruction ID: 5b319f4d86c429aaf34c497ec622aa84374fa007c64af5b461aa928f93ad298c
                                                                                                              • Opcode Fuzzy Hash: e6ecb1dbfe451e73ced23eeeb408c191c9d173acb1a016d6f6abe8d636493956
                                                                                                              • Instruction Fuzzy Hash: 42F036742041055BEB00FBB6D95266E67ECEB8470EF60443BF900BB6C3EA3D9E49492D
                                                                                                              Function 004840A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004840E9
                                                                                                              • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0048410C
                                                                                                              Strings
                                                                                                              • CSDVersion, xrefs: 004840E0
                                                                                                              • System\CurrentControlSet\Control\Windows, xrefs: 004840B6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                              • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                                              • API String ID: 3677997916-1910633163
                                                                                                              • Opcode ID: e6177dccfdccffb4b165993cffb6e954166e9eb20f95b4884a5f0f01978d4c96
                                                                                                              • Instruction ID: 53b0cd76a008673903c9ef47d43ccdc3b5982ad8000f383f0d4d26435d6d51d8
                                                                                                              • Opcode Fuzzy Hash: e6177dccfdccffb4b165993cffb6e954166e9eb20f95b4884a5f0f01978d4c96
                                                                                                              • Instruction Fuzzy Hash: ABF03175E0020AAADF10EAD08C4DB9FB3BC9B54704F104567E910E7281E678AA848B59
                                                                                                              Function 0045940C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459549,00000000,00459701,?,00000000,00000000,00000000), ref: 00459459
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                                              • API String ID: 47109696-2631785700
                                                                                                              • Opcode ID: 8010f28983bc049789e2a41e09978bce303c8067828b4a2db98a6df8c10ff22e
                                                                                                              • Instruction ID: da45e090e08c2af83dc97eff45d409e8c8a7a5d294f3c067393b5131bf5ff8bf
                                                                                                              • Opcode Fuzzy Hash: 8010f28983bc049789e2a41e09978bce303c8067828b4a2db98a6df8c10ff22e
                                                                                                              • Instruction Fuzzy Hash: F2F0AF31B04110ABC710AB1AD845B6E6398DBD235AF50803BF985DB253EA7CCC0B8769
                                                                                                              Function 0042D900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453BCE,00000000,00453C71,?,?,00000000,00000000,00000000,00000000,00000000,?,00454061,00000000), ref: 0042D91A
                                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D920
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                                              • API String ID: 1646373207-4063490227
                                                                                                              • Opcode ID: 668015d286dac6ed483b16a742b0e62700dc4db53c3f9f7b812670d1427f7fe3
                                                                                                              • Instruction ID: c73f6de4eb886e968b085a6e7c7cc63e3b6fdbea6d7e209729b619e098e19142
                                                                                                              • Opcode Fuzzy Hash: 668015d286dac6ed483b16a742b0e62700dc4db53c3f9f7b812670d1427f7fe3
                                                                                                              • Instruction Fuzzy Hash: F9E04FE1B40B5113E710667A5C8276B158E4B84728F90443B3994E52C7DDBCD9C8566D
                                                                                                              Function 0042EB64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAE0), ref: 0042EB72
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB78
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                                              • API String ID: 1646373207-260599015
                                                                                                              • Opcode ID: bee4edb2c449a5dfd1c01cdfe9b6f7374d179aa79d7f6a8ce8d951f478ed0695
                                                                                                              • Instruction ID: d308361a71a1e4dc0c71eda52d15a5d5ca57c7b6b7e2bde91db1678b7815b427
                                                                                                              • Opcode Fuzzy Hash: bee4edb2c449a5dfd1c01cdfe9b6f7374d179aa79d7f6a8ce8d951f478ed0695
                                                                                                              • Instruction Fuzzy Hash: 8DD0A792301732626900F1F73CC1DBB0A8C89102793540077F601E1241D54DDC01156C
                                                                                                              Function 0044F7B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004992CA), ref: 0044F7F3
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F7F9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: NotifyWinEvent$user32.dll
                                                                                                              • API String ID: 1646373207-597752486
                                                                                                              • Opcode ID: c3786242a14ca03a62e3406b7bd0f53fb28c80e98e7c47f23881a3d4f16b908f
                                                                                                              • Instruction ID: b1e2d04df43b1f620e0cf6c091983f233af54cc0e24e64f5668f936ad46d7efe
                                                                                                              • Opcode Fuzzy Hash: c3786242a14ca03a62e3406b7bd0f53fb28c80e98e7c47f23881a3d4f16b908f
                                                                                                              • Instruction Fuzzy Hash: 6BE012F0A417469EEB00BBF5998671A3AA0E75431CF51007BB1006A192CB7C44184F6E
                                                                                                              Function 00499040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00499320,00000001,00000000,00499344), ref: 0049904A
                                                                                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00499050
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                                              • API String ID: 1646373207-834958232
                                                                                                              • Opcode ID: 646b07dbd550e4abdd546bdc612ddcefe778f12448e39103c2641131bf94b29c
                                                                                                              • Instruction ID: 7509a849a1c86b60682be4b60143d7a07ed98817b3ed87241ead2d9b7982c41a
                                                                                                              • Opcode Fuzzy Hash: 646b07dbd550e4abdd546bdc612ddcefe778f12448e39103c2641131bf94b29c
                                                                                                              • Instruction Fuzzy Hash: 45B09280280611909C9032BB0D02A1B0E084881728718003F3560B01CACE6D8C04543E
                                                                                                              Function 0046469C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0044B6CC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F7E9,004992CA), ref: 0044B6F3
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B70B
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B71D
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B72F
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B741
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B753
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B765
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B777
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B789
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B79B
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B7AD
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B7BF
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B7D1
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B7E3
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B7F5
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B807
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B819
                                                                                                                • Part of subcall function 0044B6CC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B82B
                                                                                                              • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004992F2), ref: 004646AB
                                                                                                              • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 004646B1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                              • API String ID: 2238633743-2683653824
                                                                                                              • Opcode ID: f4442e2486f2b5e46a00971faa36ed1fd0fe9bdb0abc79278919a1fdde299c0b
                                                                                                              • Instruction ID: 4b5030ed4f607149f6cd51c097547c25e56dbab9a2da70309a95c4064c32834c
                                                                                                              • Opcode Fuzzy Hash: f4442e2486f2b5e46a00971faa36ed1fd0fe9bdb0abc79278919a1fdde299c0b
                                                                                                              • Instruction Fuzzy Hash: A4B092E0A81641698D0077B2980790F289489A1B1CB14003F304076097EABC88100E5E
                                                                                                              Function 0047DB00 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0047DC74,?,?,?,?,00000000,0047DDC9,?,?,?,00000000,?,0047DED8), ref: 0047DC50
                                                                                                              • FindClose.KERNEL32(000000FF,0047DC7B,0047DC74,?,?,?,?,00000000,0047DDC9,?,?,?,00000000,?,0047DED8,00000000), ref: 0047DC6E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFileNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 2066263336-0
                                                                                                              • Opcode ID: 626af9ae0c7025ae86db110923e2d8978f3bc9f77e1149f66e2b87a215601fbe
                                                                                                              • Instruction ID: 1e82c9b5cfa583a005eddcd7dd146139acf465dd78b3df19642706576ae0a9c6
                                                                                                              • Opcode Fuzzy Hash: 626af9ae0c7025ae86db110923e2d8978f3bc9f77e1149f66e2b87a215601fbe
                                                                                                              • Instruction Fuzzy Hash: F7814D70D0424DAFCF21DFA5CC41ADFBBB9EF49304F1080AAE808A7291D6399A46CF54
                                                                                                              Function 004759E8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042EE90: GetTickCount.KERNEL32 ref: 0042EE96
                                                                                                                • Part of subcall function 0042EC98: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECCD
                                                                                                              • GetLastError.KERNEL32(00000000,00475B5D,?,?,0049D1E0,00000000), ref: 00475A46
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CountErrorFileLastMoveTick
                                                                                                              • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                                              • API String ID: 2406187244-2685451598
                                                                                                              • Opcode ID: bdd100edfa0aef186b75102470bea3ad8c8c879f4a4d4cdb36382bc75decf58e
                                                                                                              • Instruction ID: a9db3c141a3770340595dd3a0637540d48bb3c3777a437ddbd25d3dfc602479e
                                                                                                              • Opcode Fuzzy Hash: bdd100edfa0aef186b75102470bea3ad8c8c879f4a4d4cdb36382bc75decf58e
                                                                                                              • Instruction Fuzzy Hash: 85415871E006099FCB10EF65D882AEE77B4EF44314F508537E414BB351D778AA058BAD
                                                                                                              Function 00413D08 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDesktopWindow.USER32 ref: 00413D56
                                                                                                              • GetDesktopWindow.USER32 ref: 00413E0E
                                                                                                                • Part of subcall function 00418ED0: 6F59C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049C628), ref: 00418EEC
                                                                                                                • Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049C628), ref: 00418F09
                                                                                                              • SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CursorDesktopWindow$Show
                                                                                                              • String ID:
                                                                                                              • API String ID: 2074268717-0
                                                                                                              • Opcode ID: c82077e875ceebfb446ca8bdba497cc44f2f016adda31143cf8d95e20cbb1c8e
                                                                                                              • Instruction ID: a5e00dcc6fd9115ed5a77459d70fea990a5215d510f46849e0ce2877443e0a13
                                                                                                              • Opcode Fuzzy Hash: c82077e875ceebfb446ca8bdba497cc44f2f016adda31143cf8d95e20cbb1c8e
                                                                                                              • Instruction Fuzzy Hash: CA413771600260EFC714EF29E9C4B9677E1AB69325F16807BE404DB366DA38BD81CF58
                                                                                                              Function 00408A64 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A85
                                                                                                              • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AF4
                                                                                                              • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B8F
                                                                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BCE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LoadString$FileMessageModuleName
                                                                                                              • String ID:
                                                                                                              • API String ID: 704749118-0
                                                                                                              • Opcode ID: 2478aacc1cc0604c87cef9c23ce28a73e3b8baee1560f3a98c189eb7686d3011
                                                                                                              • Instruction ID: c07fd310ac7ce6f4f6bdd3d287b746ce8d52192ab59c667046e5b60d4d48b312
                                                                                                              • Opcode Fuzzy Hash: 2478aacc1cc0604c87cef9c23ce28a73e3b8baee1560f3a98c189eb7686d3011
                                                                                                              • Instruction Fuzzy Hash: 0E3134716083849BD730EB65C945BDBB7E8AB85704F40483FB6C8DB2D1EB7859048B6B
                                                                                                              Function 0044E938 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E981
                                                                                                                • Part of subcall function 0044CFC4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CFF6
                                                                                                              • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044EA05
                                                                                                                • Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8
                                                                                                              • IsRectEmpty.USER32(?), ref: 0044E9C7
                                                                                                              • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E9EA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 855768636-0
                                                                                                              • Opcode ID: be830068c3edf1c95023cfeceac366b6905f068659723eff49c6974a0b69c569
                                                                                                              • Instruction ID: 77b7b7799a66ce86f667cf0b036ff1ab111c9581c09ca9d8f795578908ad38d2
                                                                                                              • Opcode Fuzzy Hash: be830068c3edf1c95023cfeceac366b6905f068659723eff49c6974a0b69c569
                                                                                                              • Instruction Fuzzy Hash: 36118C72B0034027E610BA3E8C86B5B66C99B88708F14083FB605EB3C7DE7CDC094399
                                                                                                              Function 00495FFC Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OffsetRect.USER32(?,?,00000000), ref: 00496060
                                                                                                              • OffsetRect.USER32(?,00000000,?), ref: 0049607B
                                                                                                              • OffsetRect.USER32(?,?,00000000), ref: 00496095
                                                                                                              • OffsetRect.USER32(?,00000000,?), ref: 004960B0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: OffsetRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 177026234-0
                                                                                                              • Opcode ID: a5b10c5c05c4c4c8690ebf0e0d14455fb01428b86b9d3b295170541a370ec2ec
                                                                                                              • Instruction ID: 8eac29a9a723dba05d0f501e7f7c311a2f3b3ed3193ada35ebb1b3014bd25ec0
                                                                                                              • Opcode Fuzzy Hash: a5b10c5c05c4c4c8690ebf0e0d14455fb01428b86b9d3b295170541a370ec2ec
                                                                                                              • Instruction Fuzzy Hash: F6215EB6700201ABCB00DE69CDC5E6BB7EEEBD4344F15CA2AF548C7389D634E9448796
                                                                                                              Function 00417228 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCursorPos.USER32 ref: 00417270
                                                                                                              • SetCursor.USER32(00000000), ref: 004172B3
                                                                                                              • GetLastActivePopup.USER32(?), ref: 004172DD
                                                                                                              • GetForegroundWindow.USER32(?), ref: 004172E4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 1959210111-0
                                                                                                              • Opcode ID: e1b8292847e1495943439bfb526301e98f20bb6a1a323b8f65a3f0d30a7d056b
                                                                                                              • Instruction ID: a3ca0b5fbe6c86dc8433d056dfe209cecf977414c0e936569190c1b416abce34
                                                                                                              • Opcode Fuzzy Hash: e1b8292847e1495943439bfb526301e98f20bb6a1a323b8f65a3f0d30a7d056b
                                                                                                              • Instruction Fuzzy Hash: 7F2180713086018BC720AF69D885ADB73B1AB48764B4545ABF855CB352D73DDC82CB49
                                                                                                              Function 00495CB4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MulDiv.KERNEL32(8B500000,00000008,?), ref: 00495CC9
                                                                                                              • MulDiv.KERNEL32(50142444,00000008,?), ref: 00495CDD
                                                                                                              • MulDiv.KERNEL32(F6F86FE8,00000008,?), ref: 00495CF1
                                                                                                              • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00495D0F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                              • Instruction ID: f271e463c2a04687a7cd3b1fed15c38c3ae6b45cd4ce19c79766351c2a45cab8
                                                                                                              • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                              • Instruction Fuzzy Hash: 78112172604604AFCB40EFA9C8C4D9B7BECEF4D320B24416AFD19DB246D634ED408BA4
                                                                                                              Function 0041F490 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
                                                                                                              • UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
                                                                                                              • RegisterClassA.USER32(0049A598), ref: 0041F4E4
                                                                                                              • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 4025006896-0
                                                                                                              • Opcode ID: 46111e49518ace76b25441b5b8420e7e5a88ee32249e97549851b52d686e3228
                                                                                                              • Instruction ID: bc278c4f6faf11cefbb7876bdabff60d814ef9460a0beef0b041e337848a6ca8
                                                                                                              • Opcode Fuzzy Hash: 46111e49518ace76b25441b5b8420e7e5a88ee32249e97549851b52d686e3228
                                                                                                              • Instruction Fuzzy Hash: BB014071300104BBCB10EBA9ED81E9B779C9719314F51423BB505E72E2D6399C158BBD
                                                                                                              Function 00454FF0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForInputIdle.USER32(00000001,00000032), ref: 0045501C
                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 0045503E
                                                                                                              • GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 0045504D
                                                                                                              • CloseHandle.KERNEL32(00000001,0045507A,00455073,?,00000031,00000080,00000000,?,?,004553D3,00000080,0000003C,00000000,004553E9), ref: 0045506D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 4071923889-0
                                                                                                              • Opcode ID: aaa38026e2161bc5d10e27088da429faa58cfaab67b23fe3f60cb52595d37df2
                                                                                                              • Instruction ID: d12116b756cd226a9453b7b7c95f557e71215baafd626de0b651f5c3ff172158
                                                                                                              • Opcode Fuzzy Hash: aaa38026e2161bc5d10e27088da429faa58cfaab67b23fe3f60cb52595d37df2
                                                                                                              • Instruction Fuzzy Hash: F801F570A00A08BEEB209BA9CC12F7F7BACDF45B60F600167B904D32C2C5789D0486B8
                                                                                                              Function 0040D020 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D037
                                                                                                              • LoadResource.KERNEL32(00400000,72756F73,0040A7D8,00400000,00000001,00000000,?,0040CF94,00000000,?,00000000,?,?,0047CFDC,0000000A,00000000), ref: 0040D051
                                                                                                              • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7D8,00400000,00000001,00000000,?,0040CF94,00000000,?,00000000,?,?,0047CFDC), ref: 0040D06B
                                                                                                              • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7D8,00400000,00000001,00000000,?,0040CF94,00000000,?,00000000,?), ref: 0040D075
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                                              • String ID:
                                                                                                              • API String ID: 3473537107-0
                                                                                                              • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                              • Instruction ID: 36a118f2821a5a72c918f59cdb85223c1d13502428e6f53becfecf356bbc3684
                                                                                                              • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                              • Instruction Fuzzy Hash: ECF062B36055046F9B04EFADA881D5B77DCDE88364310017FF908E7282DA39DD118B78
                                                                                                              Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlInitializeCriticalSection.KERNEL32(0049C420,00000000,00401A82,?,?,0040222E,02387230,00001ACC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0049C420,0049C420,00000000,00401A82,?,?,0040222E,02387230,00001ACC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0049C420,00000000,00401A82,?,?,0040222E,02387230,00001ACC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                              • RtlLeaveCriticalSection.KERNEL32(0049C420,00401A89,00000000,00401A82,?,?,0040222E,02387230,00001ACC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                              • String ID:
                                                                                                              • API String ID: 730355536-0
                                                                                                              • Opcode ID: a537f80313018cf3950957164b1fdd12897bf3377eacdc83d36d2ef3f56c3ae2
                                                                                                              • Instruction ID: 68a963c4b4ce3cb9fa4489d147f84cdc209e61955976dc0c42ca8291dd14a8a4
                                                                                                              • Opcode Fuzzy Hash: a537f80313018cf3950957164b1fdd12897bf3377eacdc83d36d2ef3f56c3ae2
                                                                                                              • Instruction Fuzzy Hash: 1501C0707842405EFB19AB6998A27353ED4D796748F91803BF440A6AF1C67C4840CB6D
                                                                                                              Function 00470798 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 004707E9
                                                                                                              Strings
                                                                                                              • Setting NTFS compression on file: %s, xrefs: 004707B7
                                                                                                              • Failed to set NTFS compression state (%d)., xrefs: 004707FA
                                                                                                              • Unsetting NTFS compression on file: %s, xrefs: 004707CF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                                              • API String ID: 1452528299-3038984924
                                                                                                              • Opcode ID: 0da083cedf78d204021f0c22f46e9404a6a0d1fca2abd04a8242647f3c87b887
                                                                                                              • Instruction ID: 145c5581ad0eca4b083c726d4b350626947fd7e4083fb75601c5580ae1b156b2
                                                                                                              • Opcode Fuzzy Hash: 0da083cedf78d204021f0c22f46e9404a6a0d1fca2abd04a8242647f3c87b887
                                                                                                              • Instruction Fuzzy Hash: 38016C31D0D148A9CB04D7ED60416DDBFA89F09304F45C5EFA459D7282D7B915088BDA
                                                                                                              Function 00455E44 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B856,?,?,?,?,?,00000000,0045B87D), ref: 00455E80
                                                                                                              • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B856,?,?,?,?,?,00000000), ref: 00455E89
                                                                                                              • RemoveFontResourceA.GDI32(00000000), ref: 00455E96
                                                                                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455EAA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 4283692357-0
                                                                                                              • Opcode ID: 0cea296a99f6bc8f54668b4dbe0ebeaba86c29914302827ce1a00d79840e3846
                                                                                                              • Instruction ID: 2b3bc76bcbe24f9a378c9fd2a9d0a5bd871778c5a23a50a9ca37bd21dd0b5b9e
                                                                                                              • Opcode Fuzzy Hash: 0cea296a99f6bc8f54668b4dbe0ebeaba86c29914302827ce1a00d79840e3846
                                                                                                              • Instruction Fuzzy Hash: C2F030B574470176EA10B7B69C47F1B228C8B54745F14483ABA00EB2C3D97CD904966D
                                                                                                              Function 0046FFEC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,00000000), ref: 0047003D
                                                                                                              Strings
                                                                                                              • Setting NTFS compression on directory: %s, xrefs: 0047000B
                                                                                                              • Failed to set NTFS compression state (%d)., xrefs: 0047004E
                                                                                                              • Unsetting NTFS compression on directory: %s, xrefs: 00470023
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast
                                                                                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                                              • API String ID: 1452528299-1392080489
                                                                                                              • Opcode ID: 501c20c4b4589d314784abe810e87fd7af79d86b38d8ef254cb346fbb93d82bb
                                                                                                              • Instruction ID: 604d54a06cc176a09f793a0f1904e0e91a55842988fe096117b9dad4a0540a88
                                                                                                              • Opcode Fuzzy Hash: 501c20c4b4589d314784abe810e87fd7af79d86b38d8ef254cb346fbb93d82bb
                                                                                                              • Instruction Fuzzy Hash: 96011731D0D288A6CB04D7AD70417DDBFB49F49314F44C1EFA459E7282DB790909879A
                                                                                                              Function 0047D1CC Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$CountSleepTick
                                                                                                              • String ID:
                                                                                                              • API String ID: 2227064392-0
                                                                                                              • Opcode ID: 9d8c620ac145a49ef357bc67e7af840132a63e2ed6bee5855d7efcfcc9ec2cde
                                                                                                              • Instruction ID: ce153dc38a8bb7651996ca8f0dac3f9c26bc2c6ac7669c34f37b685d31f90408
                                                                                                              • Opcode Fuzzy Hash: 9d8c620ac145a49ef357bc67e7af840132a63e2ed6bee5855d7efcfcc9ec2cde
                                                                                                              • Instruction Fuzzy Hash: D1E0E562B59140658A2431FE18C25BF85A8CECA364B18867FE4C9D6243CC5D8C0786BF
                                                                                                              Function 00478640 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(00000008,?,?,00000001,00000000,00000002,00000000,004817AB,?,?,?,?,?,004993B3,00000000,004993DB), ref: 00478649
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000001,00000000,00000002,00000000,004817AB,?,?,?,?,?,004993B3,00000000), ref: 0047864F
                                                                                                              • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,004817AB), ref: 00478671
                                                                                                              • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,004817AB), ref: 00478682
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 215268677-0
                                                                                                              • Opcode ID: 897cebff796fb9acf24ada6806b428e4bae0fdb6bab1f730a63c16ba700ca759
                                                                                                              • Instruction ID: 838b6a51ddc7838befbc46fdc110c266dd1fb76be3e125ebbed13216a87d498a
                                                                                                              • Opcode Fuzzy Hash: 897cebff796fb9acf24ada6806b428e4bae0fdb6bab1f730a63c16ba700ca759
                                                                                                              • Instruction Fuzzy Hash: 8CF01CB16443007BD600EAA58C82A9B72DCEB44754F04883E7A98CB2D1DA79D808AB66
                                                                                                              Function 00424250 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastActivePopup.USER32(?), ref: 0042425C
                                                                                                              • IsWindowVisible.USER32(?), ref: 0042426D
                                                                                                              • IsWindowEnabled.USER32(?), ref: 00424277
                                                                                                              • SetForegroundWindow.USER32(?), ref: 00424281
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                                              • String ID:
                                                                                                              • API String ID: 2280970139-0
                                                                                                              • Opcode ID: 0c1e0aa051013007664b3f07c8d487170f49f724953434a4891b7e2a8b6b14ea
                                                                                                              • Instruction ID: 2755c926dfb62d6ecb2d5c8fb2e1e882bb3f56b09ddc897a1aa573e645a4fcd2
                                                                                                              • Opcode Fuzzy Hash: 0c1e0aa051013007664b3f07c8d487170f49f724953434a4891b7e2a8b6b14ea
                                                                                                              • Instruction Fuzzy Hash: 99E0EC61B0257196AAB1EA7B2881A9F118CDD46BE434602A7FD41F7287DB2CDC1045BD
                                                                                                              Function 0047A69C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BF85,?,00000000,00000000,00000001,00000000,0047A939,?,00000000), ref: 0047A8FD
                                                                                                              Strings
                                                                                                              • Failed to parse "reg" constant, xrefs: 0047A904
                                                                                                              • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A771
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                                              • API String ID: 3535843008-1938159461
                                                                                                              • Opcode ID: 77d15435ed7941471254957dc5e0bf6c56fac4dd4ccf85e4ea98b545af4b6f3b
                                                                                                              • Instruction ID: ad7b2ad32a4e046eb061743552de15717f644d650d615c3b0b0b82a4ca8416c6
                                                                                                              • Opcode Fuzzy Hash: 77d15435ed7941471254957dc5e0bf6c56fac4dd4ccf85e4ea98b545af4b6f3b
                                                                                                              • Instruction Fuzzy Hash: D78182B4E00148AFCB11EF95C481ADEBBF9AF88344F10856AE814B7391D738DE15CB99
                                                                                                              Function 00483A70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetForegroundWindow.USER32(00000000,00483BFA,?,00000000,00483C3B,?,?,?,?,00000000,00000000,00000000,?,0046BE99), ref: 00483AA9
                                                                                                              • SetActiveWindow.USER32(?,00000000,00483BFA,?,00000000,00483C3B,?,?,?,?,00000000,00000000,00000000,?,0046BE99), ref: 00483ABB
                                                                                                              Strings
                                                                                                              • Will not restart Windows automatically., xrefs: 00483BDA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveForeground
                                                                                                              • String ID: Will not restart Windows automatically.
                                                                                                              • API String ID: 307657957-4169339592
                                                                                                              • Opcode ID: fd112b4c8de44069fed4ab784b6429e18bede020499d5fe5eba8df49eb47ae3b
                                                                                                              • Instruction ID: 00c250453c0a17a9e15f8b7c17bf5d610a6a62ae57f998986b3a61a72a87f8d4
                                                                                                              • Opcode Fuzzy Hash: fd112b4c8de44069fed4ab784b6429e18bede020499d5fe5eba8df49eb47ae3b
                                                                                                              • Instruction Fuzzy Hash: 79411270A04280AEDB11FF25DC56BAD7BE4AB14B09F140C7BE8405B3A3C27D7A45971E
                                                                                                              Function 004767E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,0047691B,?,00000000,0047692C,?,00000000,00476975), ref: 004768EC
                                                                                                              • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,0047691B,?,00000000,0047692C,?,00000000,00476975), ref: 00476900
                                                                                                              Strings
                                                                                                              • Extracting temporary file: , xrefs: 00476828
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileTime$Local
                                                                                                              • String ID: Extracting temporary file:
                                                                                                              • API String ID: 791338737-4171118009
                                                                                                              • Opcode ID: 8bb9d3133b1fb9ec8af2f49f23ff7fadb73ae79880f698f59a04eeed571ff557
                                                                                                              • Instruction ID: d70a0822c1878ba5cc3cea7231243a1bdea1af23cb32f526b41bd2dcbb3c8472
                                                                                                              • Opcode Fuzzy Hash: 8bb9d3133b1fb9ec8af2f49f23ff7fadb73ae79880f698f59a04eeed571ff557
                                                                                                              • Instruction Fuzzy Hash: 5D41CB70E00649AFCB01EFA5C891ADFBBB9EF09304F51847AF914A7391D7789905CB54
                                                                                                              Function 0046CD0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Failed to proceed to next wizard page; aborting., xrefs: 0046CE24
                                                                                                              • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CE38
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                                              • API String ID: 0-1974262853
                                                                                                              • Opcode ID: bd600112513020f620d7d4569e21eaae9941e9eb8c4aa750224beaba235140ee
                                                                                                              • Instruction ID: b126ef70070b574b462b5ad6e8f6b62ab94db58f07a08aa979416f05a1434e77
                                                                                                              • Opcode Fuzzy Hash: bd600112513020f620d7d4569e21eaae9941e9eb8c4aa750224beaba235140ee
                                                                                                              • Instruction Fuzzy Hash: 5931A2306042009FD711EB59D989BA97BF9AB05304F6500BBF448AB3A2D778AE44DB59
                                                                                                              Function 004792D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042DE2C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004840C7,?,00000001,?,?,004840C7,?,00000001,00000000), ref: 0042DE48
                                                                                                              • RegCloseKey.ADVAPI32(?,004793BA,?,?,00000001,00000000,00000000,004793D5), ref: 004793A3
                                                                                                              Strings
                                                                                                              • %s\%s_is1, xrefs: 0047934C
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047932E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen
                                                                                                              • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                              • API String ID: 47109696-1598650737
                                                                                                              • Opcode ID: 5876521af63fea2d723ac8766087b83774f6a033c2a54a4781096f04c37f5e18
                                                                                                              • Instruction ID: 81948899c858854939f702104da2ecae25413b277659753d1c8da10ae03f2604
                                                                                                              • Opcode Fuzzy Hash: 5876521af63fea2d723ac8766087b83774f6a033c2a54a4781096f04c37f5e18
                                                                                                              • Instruction Fuzzy Hash: 7E216174A046446FDB11DFA9CC51AAEBBF8EB4D704F90847AE808E7381D7789D018B99
                                                                                                              Function 004501DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 00450271
                                                                                                              • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004502A2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExecuteMessageSendShell
                                                                                                              • String ID: open
                                                                                                              • API String ID: 812272486-2758837156
                                                                                                              • Opcode ID: 1d47999e67842d91bbdff3080109e9f99b92e08493ad044d5529b9a4f90a2308
                                                                                                              • Instruction ID: 579e8a969fc791085b17213fdcb8cb543336c6f56b5ff41e9c914d75dd94f84d
                                                                                                              • Opcode Fuzzy Hash: 1d47999e67842d91bbdff3080109e9f99b92e08493ad044d5529b9a4f90a2308
                                                                                                              • Instruction Fuzzy Hash: 9D215174A00204AFDB04DFA5CC85B9EB7F9EB44705F2085BAB404E7292DB789E45CA48
                                                                                                              Function 00455304 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShellExecuteEx.SHELL32(0000003C), ref: 004553A0
                                                                                                              • GetLastError.KERNEL32(0000003C,00000000,004553E9,?,?,00000001,00000001), ref: 004553B1
                                                                                                                • Part of subcall function 0042D8D4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8E7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                                              • String ID: <
                                                                                                              • API String ID: 893404051-4251816714
                                                                                                              • Opcode ID: 9dcb97b8db9b1a097733590404b925c857cc427e9a0041e14877970af2232f4e
                                                                                                              • Instruction ID: 1baeac92009e3f48d7e72975e94fd539b808c95e86e95f0c8891d74cc8928d66
                                                                                                              • Opcode Fuzzy Hash: 9dcb97b8db9b1a097733590404b925c857cc427e9a0041e14877970af2232f4e
                                                                                                              • Instruction Fuzzy Hash: 51213570A04649AFDB10DF65D8926AE7BF8AF08355F90403BFC44E7381D7789E498B98
                                                                                                              Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlEnterCriticalSection.KERNEL32(0049C420,00000000,)), ref: 004025C7
                                                                                                              • RtlLeaveCriticalSection.KERNEL32(0049C420,0040263D), ref: 00402630
                                                                                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049C420,00000000,00401A82,?,?,0040222E,02387230,00001ACC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049C420,0049C420,00000000,00401A82,?,?,0040222E,02387230,00001ACC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049C420,00000000,00401A82,?,?,0040222E,02387230,00001ACC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049C420,00401A89,00000000,00401A82,?,?,0040222E,02387230,00001ACC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                              • String ID: )
                                                                                                              • API String ID: 2227675388-1084416617
                                                                                                              • Opcode ID: 396a9afb75b2cc7f7a4cbe0e3edaa9b49a36ea60243cfc7b43fdf6a3ec3db581
                                                                                                              • Instruction ID: 1fa17fb08616f6b4eef2bbe9ac14d29337f111a30cd6b0cffb698505e2c33406
                                                                                                              • Opcode Fuzzy Hash: 396a9afb75b2cc7f7a4cbe0e3edaa9b49a36ea60243cfc7b43fdf6a3ec3db581
                                                                                                              • Instruction Fuzzy Hash: A21134307042006FEB10AB795F6A62A6AD4D795358B60087FF404F32D2D9BD8C02825C
                                                                                                              Function 00497206 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00497241
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window
                                                                                                              • String ID: /INITPROCWND=$%x $@
                                                                                                              • API String ID: 2353593579-4169826103
                                                                                                              • Opcode ID: 5a103d45b4538b44b7d3fd145df9eaa2b16f7591657a5688a99aa9ff68a700bd
                                                                                                              • Instruction ID: 05f588258c78c5b50029c9c11ed11213d1445aaa1ba567bca7741b432d444d98
                                                                                                              • Opcode Fuzzy Hash: 5a103d45b4538b44b7d3fd145df9eaa2b16f7591657a5688a99aa9ff68a700bd
                                                                                                              • Instruction Fuzzy Hash: A611A571A282089FDB01DBA5D851FAEBBE8EB48314F5084BBF904E7291D63C9905CB5C
                                                                                                              Function 00447488 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                              • SysFreeString.OLEAUT32(?), ref: 0044753A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: String$AllocByteCharFreeMultiWide
                                                                                                              • String ID: NIL Interface Exception$Unknown Method
                                                                                                              • API String ID: 3952431833-1023667238
                                                                                                              • Opcode ID: b5b3b2027cd9392a30aef52b357f29023a93b6cb0369269594e46825eb3d0212
                                                                                                              • Instruction ID: e21740dd19ee0d3aaa7bf219fd9fa850e2e2e771d5dc584e192d83827b059975
                                                                                                              • Opcode Fuzzy Hash: b5b3b2027cd9392a30aef52b357f29023a93b6cb0369269594e46825eb3d0212
                                                                                                              • Instruction Fuzzy Hash: 9211E930A04204AFEB00DFA59D42A6EBBBCEB49704F51447AF500EB681DB789D00CB69
                                                                                                              Function 00496A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496B40,?,00496B34,00000000,00496B1B), ref: 00496AE6
                                                                                                              • CloseHandle.KERNEL32(00496B80,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496B40,?,00496B34,00000000), ref: 00496AFD
                                                                                                                • Part of subcall function 004969D0: GetLastError.KERNEL32(00000000,00496A68,?,?,?,?), ref: 004969F4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateErrorHandleLastProcess
                                                                                                              • String ID: D
                                                                                                              • API String ID: 3798668922-2746444292
                                                                                                              • Opcode ID: 8c076d8b975d6b314500e760c1b31ec559303ffe873c3baf39058a33e9a74c9f
                                                                                                              • Instruction ID: 4578fedeb831857a9fa7b324a6e48fa42854d3e5b1879a7f0481b0c617fb48be
                                                                                                              • Opcode Fuzzy Hash: 8c076d8b975d6b314500e760c1b31ec559303ffe873c3baf39058a33e9a74c9f
                                                                                                              • Instruction Fuzzy Hash: 050165B1644148AFDF00DBD6CC92F9F7BACDF49714F52407BB504E7281E6789E058619
                                                                                                              Function 0042DD74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD88
                                                                                                              • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDC8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Value$EnumQuery
                                                                                                              • String ID: Inno Setup: No Icons
                                                                                                              • API String ID: 1576479698-2016326496
                                                                                                              • Opcode ID: 8eee03c1fbfc328194d38fab97817ecd3167584576368d321fe403edd0428e5d
                                                                                                              • Instruction ID: 8a75d463627faac0db3bfd1327658b2d26d196a72fd2cd26e512c66f67a8876f
                                                                                                              • Opcode Fuzzy Hash: 8eee03c1fbfc328194d38fab97817ecd3167584576368d321fe403edd0428e5d
                                                                                                              • Instruction Fuzzy Hash: E0012B36F5A77079F73046216D02BBB56888B82B60F68053BF940EA2C0D6589C04D36E
                                                                                                              Function 00452EFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452F5D,?,?,-00000001,?), ref: 00452F37
                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000,00452F5D,?,?,-00000001,?), ref: 00452F3F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AttributesErrorFileLast
                                                                                                              • String ID: 8)H
                                                                                                              • API String ID: 1799206407-3916970867
                                                                                                              • Opcode ID: ce74d8d9d820f7af3c63aa287241caff3d4e0ddf2f4ddb2ef23d86c57fabe815
                                                                                                              • Instruction ID: dde47f3407bff09e6a38a0e499abe30f06c7602c99efaa7623f496abef129164
                                                                                                              • Opcode Fuzzy Hash: ce74d8d9d820f7af3c63aa287241caff3d4e0ddf2f4ddb2ef23d86c57fabe815
                                                                                                              • Instruction Fuzzy Hash: DAF0F972A04204BBCB00DB76AD4149EF7FCDB4A721710457BFC04D3342E6B85E089598
                                                                                                              Function 00497F3C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0045568C: GetCurrentProcess.KERNEL32(00000028), ref: 0045569B
                                                                                                                • Part of subcall function 0045568C: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004556A1
                                                                                                              • SetForegroundWindow.USER32(?), ref: 00497F6E
                                                                                                              Strings
                                                                                                              • Restarting Windows., xrefs: 00497F4B
                                                                                                              • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 00497F99
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                                                              • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                                                              • API String ID: 3179053593-4147564754
                                                                                                              • Opcode ID: a5cc7a903ad3542029bb0d77cfbe7a364602ca208a9d9cbdfb1bf1aa9e376992
                                                                                                              • Instruction ID: 4b66e7a5e74ecb784a5d921af265fbc31bf072fcbe68812fd41d72e60711739e
                                                                                                              • Opcode Fuzzy Hash: a5cc7a903ad3542029bb0d77cfbe7a364602ca208a9d9cbdfb1bf1aa9e376992
                                                                                                              • Instruction Fuzzy Hash: 1C0188706182409BEB05E765E441B9D3FD99F95309F50807BF404772D3C67D9D49872D
                                                                                                              Function 0045297C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DeleteFileA.KERNEL32(00000000,00000000,004529D9,?,-00000001,?), ref: 004529B3
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,004529D9,?,-00000001,?), ref: 004529BB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DeleteErrorFileLast
                                                                                                              • String ID: 8)H
                                                                                                              • API String ID: 2018770650-3916970867
                                                                                                              • Opcode ID: 2bffeee8909a74cd18c2d876bd05f5b8a9f89f7c78f30e1aeb97f13d0a4fc114
                                                                                                              • Instruction ID: 616889b774c7d0a889357a9a25b6211c9f917d25ccf9d7241b8d0611c73475d1
                                                                                                              • Opcode Fuzzy Hash: 2bffeee8909a74cd18c2d876bd05f5b8a9f89f7c78f30e1aeb97f13d0a4fc114
                                                                                                              • Instruction Fuzzy Hash: 6CF0C8B1B04708ABDB00EF759D4249EB7ECDB4A315B5045B7FC04E3742E6785E148598
                                                                                                              Function 00452E84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RemoveDirectoryA.KERNEL32(00000000,00000000,00452EE1,?,-00000001,00000000), ref: 00452EBB
                                                                                                              • GetLastError.KERNEL32(00000000,00000000,00452EE1,?,-00000001,00000000), ref: 00452EC3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DirectoryErrorLastRemove
                                                                                                              • String ID: 8)H
                                                                                                              • API String ID: 377330604-3916970867
                                                                                                              • Opcode ID: 13593e553e6be281e96d7bb953d56a5927f6c498d227b46fc847c2a148732c0c
                                                                                                              • Instruction ID: c7bdba2715fb66454707c14724f72c320a39a9c6e4158119f2851cf94b52ae50
                                                                                                              • Opcode Fuzzy Hash: 13593e553e6be281e96d7bb953d56a5927f6c498d227b46fc847c2a148732c0c
                                                                                                              • Instruction Fuzzy Hash: F2F0C871A04708ABCB00DFB59D4249EB7E8EB4E31575049B7FC04E7642E7785E049558
                                                                                                              Function 004986DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0047D550: FreeLibrary.KERNEL32(6F950000,00481F13), ref: 0047D566
                                                                                                                • Part of subcall function 0047D220: GetTickCount.KERNEL32 ref: 0047D26A
                                                                                                                • Part of subcall function 0045733C: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 0045735B
                                                                                                              • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00499033), ref: 00498731
                                                                                                              • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00499033), ref: 00498737
                                                                                                              Strings
                                                                                                              • Detected restart. Removing temporary directory., xrefs: 004986EB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                                              • String ID: Detected restart. Removing temporary directory.
                                                                                                              • API String ID: 1717587489-3199836293
                                                                                                              • Opcode ID: dacc005acb48f2c9a6c17312f31363653640754999933287209c5bc8a26dcf54
                                                                                                              • Instruction ID: 1f2dec6c19a68f67b40637f6c2d8dd05bc5c387ef6d5d21522d9e9d16f9083c3
                                                                                                              • Opcode Fuzzy Hash: dacc005acb48f2c9a6c17312f31363653640754999933287209c5bc8a26dcf54
                                                                                                              • Instruction Fuzzy Hash: 91E0A0716086402ADA0277AA7C1296B3B5CDB46768B6144BFF80491A52E92C4811C67D
                                                                                                              Function 0045571C Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.2904770618.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000001.00000002.2904692145.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2904962474.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905003094.000000000049B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905032241.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                              • Associated: 00000001.00000002.2905067709.00000000004AC000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastSleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 1458359878-0
                                                                                                              • Opcode ID: 648dda9fcfa3be0796cf1e21ca424cd02d6c478e8aba2200b071bc3282ec43fd
                                                                                                              • Instruction ID: c9025c94a886fb5f76285139ad04fc7cdabfdd445e85fa9ce07bcd72d8186167
                                                                                                              • Opcode Fuzzy Hash: 648dda9fcfa3be0796cf1e21ca424cd02d6c478e8aba2200b071bc3282ec43fd
                                                                                                              • Instruction Fuzzy Hash: 0FF0B472B00914E74F20A5AAA99197F678CEA9D376F10852BFC04D7307C53DDD098AED

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:10.5%
                                                                                                              Dynamic/Decrypted Code Coverage:83.5%
                                                                                                              Signature Coverage:1.7%
                                                                                                              Total number of Nodes:2000
                                                                                                              Total number of Limit Nodes:36
                                                                                                              execution_graph 20936 402d60 GetVersion 20960 4039f0 HeapCreate 20936->20960 20938 402dbf 20939 402dc4 20938->20939 20940 402dcc 20938->20940 21035 402e7b 20939->21035 20972 4036d0 20940->20972 20944 402dd4 GetCommandLineA 20986 40359e 20944->20986 20948 402dee 21018 403298 20948->21018 20950 402df3 20951 402df8 GetStartupInfoA 20950->20951 21031 403240 20951->21031 20953 402e0a GetModuleHandleA 20955 402e2e 20953->20955 21041 402fe7 20955->21041 20961 403a10 20960->20961 20962 403a46 20960->20962 21048 4038a8 20961->21048 20962->20938 20965 403a2c 20968 403a49 20965->20968 20969 404618 5 API calls 20965->20969 20966 403a1f 21060 403dc7 HeapAlloc 20966->21060 20968->20938 20970 403a29 20969->20970 20970->20968 20971 403a3a HeapDestroy 20970->20971 20971->20962 21116 402e9f 20972->21116 20975 4036ef GetStartupInfoA 20982 403800 20975->20982 20985 40373b 20975->20985 20978 403867 SetHandleCount 20978->20944 20979 403827 GetStdHandle 20981 403835 GetFileType 20979->20981 20979->20982 20980 402e9f 12 API calls 20980->20985 20981->20982 20982->20978 20982->20979 20983 4037ac 20983->20982 20984 4037ce GetFileType 20983->20984 20984->20983 20985->20980 20985->20982 20985->20983 20987 4035b9 GetEnvironmentStringsW 20986->20987 20988 4035ec 20986->20988 20989 4035c1 20987->20989 20991 4035cd GetEnvironmentStrings 20987->20991 20988->20989 20990 4035dd 20988->20990 20993 403605 WideCharToMultiByte 20989->20993 20994 4035f9 GetEnvironmentStringsW 20989->20994 20992 402de4 20990->20992 20995 40368b 20990->20995 20996 40367f GetEnvironmentStrings 20990->20996 20991->20990 20991->20992 21009 403351 20992->21009 20998 403639 20993->20998 20999 40366b FreeEnvironmentStringsW 20993->20999 20994->20992 20994->20993 21000 402e9f 12 API calls 20995->21000 20996->20992 20996->20995 21001 402e9f 12 API calls 20998->21001 20999->20992 21007 4036a6 21000->21007 21002 40363f 21001->21002 21002->20999 21003 403648 WideCharToMultiByte 21002->21003 21005 403662 21003->21005 21006 403659 21003->21006 21004 4036bc FreeEnvironmentStringsA 21004->20992 21005->20999 21008 402f51 7 API calls 21006->21008 21007->21004 21008->21005 21010 403363 21009->21010 21011 403368 GetModuleFileNameA 21009->21011 21145 405042 21010->21145 21013 40338b 21011->21013 21014 402e9f 12 API calls 21013->21014 21015 4033ac 21014->21015 21016 4033bc 21015->21016 21017 402e56 7 API calls 21015->21017 21016->20948 21017->21016 21019 4032a5 21018->21019 21022 4032aa 21018->21022 21020 405042 19 API calls 21019->21020 21020->21022 21021 402e9f 12 API calls 21023 4032d7 21021->21023 21022->21021 21024 402e56 7 API calls 21023->21024 21029 4032eb 21023->21029 21024->21029 21025 40332e 21026 402f51 7 API calls 21025->21026 21027 40333a 21026->21027 21027->20950 21028 402e9f 12 API calls 21028->21029 21029->21025 21029->21028 21030 402e56 7 API calls 21029->21030 21030->21029 21032 403249 21031->21032 21034 40324e 21031->21034 21033 405042 19 API calls 21032->21033 21033->21034 21034->20953 21036 402e84 21035->21036 21037 402e89 21035->21037 21038 403c20 7 API calls 21036->21038 21039 403c59 7 API calls 21037->21039 21038->21037 21040 402e92 ExitProcess 21039->21040 21169 403009 21041->21169 21044 4030bc 21045 4030c8 21044->21045 21046 4031f1 UnhandledExceptionFilter 21045->21046 21047 402e48 21045->21047 21046->21047 21062 402c40 21048->21062 21051 4038d1 21052 4038eb GetEnvironmentVariableA 21051->21052 21053 4038e3 21051->21053 21055 40390a 21052->21055 21059 4039c8 21052->21059 21053->20965 21053->20966 21056 40394f GetModuleFileNameA 21055->21056 21057 403947 21055->21057 21056->21057 21057->21059 21064 40505e 21057->21064 21059->21053 21067 40387b GetModuleHandleA 21059->21067 21061 403de3 21060->21061 21061->20970 21063 402c4c GetVersionExA 21062->21063 21063->21051 21063->21052 21069 405075 21064->21069 21068 403892 21067->21068 21068->21053 21071 40508d 21069->21071 21074 4050bd 21071->21074 21076 405d39 21071->21076 21072 405071 21072->21059 21073 405d39 6 API calls 21073->21074 21074->21072 21074->21073 21080 405c6d 21074->21080 21077 405d57 21076->21077 21079 405d4b 21076->21079 21086 405b24 21077->21086 21079->21071 21081 405c98 21080->21081 21082 405c7b 21080->21082 21083 405cb4 21081->21083 21084 405d39 6 API calls 21081->21084 21082->21074 21083->21082 21098 4058d5 21083->21098 21084->21083 21087 405b6d 21086->21087 21088 405b55 GetStringTypeW 21086->21088 21089 405b98 GetStringTypeA 21087->21089 21090 405bbc 21087->21090 21088->21087 21091 405b71 GetStringTypeA 21088->21091 21093 405c59 21089->21093 21090->21093 21094 405bd2 MultiByteToWideChar 21090->21094 21091->21087 21091->21093 21093->21079 21094->21093 21095 405bf6 21094->21095 21095->21093 21096 405c30 MultiByteToWideChar 21095->21096 21096->21093 21097 405c49 GetStringTypeW 21096->21097 21097->21093 21099 405905 LCMapStringW 21098->21099 21100 405921 21098->21100 21099->21100 21101 405929 LCMapStringA 21099->21101 21103 405987 21100->21103 21104 40596a LCMapStringA 21100->21104 21101->21100 21102 405a63 21101->21102 21102->21082 21103->21102 21105 40599d MultiByteToWideChar 21103->21105 21104->21102 21105->21102 21106 4059c7 21105->21106 21106->21102 21107 4059fd MultiByteToWideChar 21106->21107 21107->21102 21108 405a16 LCMapStringW 21107->21108 21108->21102 21109 405a31 21108->21109 21110 405a37 21109->21110 21112 405a77 21109->21112 21110->21102 21111 405a45 LCMapStringW 21110->21111 21111->21102 21112->21102 21113 405aaf LCMapStringW 21112->21113 21113->21102 21114 405ac7 WideCharToMultiByte 21113->21114 21114->21102 21117 402eb1 12 API calls 21116->21117 21118 402eae 21117->21118 21118->20975 21119 402e56 21118->21119 21120 402e64 21119->21120 21121 402e5f 21119->21121 21131 403c59 21120->21131 21125 403c20 21121->21125 21126 403c2a 21125->21126 21127 403c59 7 API calls 21126->21127 21130 403c57 21126->21130 21128 403c41 21127->21128 21129 403c59 7 API calls 21128->21129 21129->21130 21130->21120 21134 403c6c 21131->21134 21132 402e6d 21132->20975 21133 403d83 21136 403d96 GetStdHandle WriteFile 21133->21136 21134->21132 21134->21133 21135 403cac 21134->21135 21135->21132 21137 403cb8 GetModuleFileNameA 21135->21137 21136->21132 21138 403cd0 21137->21138 21140 405408 21138->21140 21141 405415 LoadLibraryA 21140->21141 21143 405457 21140->21143 21142 405426 GetProcAddress 21141->21142 21141->21143 21142->21143 21144 40543d GetProcAddress GetProcAddress 21142->21144 21143->21132 21144->21143 21146 40504b 21145->21146 21147 405052 21145->21147 21149 404c7e 21146->21149 21147->21011 21156 404e17 21149->21156 21151 404e0b 21151->21147 21154 404cc1 GetCPInfo 21155 404cd5 21154->21155 21155->21151 21161 404ebd GetCPInfo 21155->21161 21157 404e37 21156->21157 21158 404e27 GetOEMCP 21156->21158 21159 404c8f 21157->21159 21160 404e3c GetACP 21157->21160 21158->21157 21159->21151 21159->21154 21159->21155 21160->21159 21162 404fa8 21161->21162 21166 404ee0 21161->21166 21162->21151 21163 405b24 6 API calls 21164 404f5c 21163->21164 21165 4058d5 9 API calls 21164->21165 21167 404f80 21165->21167 21166->21163 21168 4058d5 9 API calls 21167->21168 21168->21162 21170 403015 GetCurrentProcess TerminateProcess 21169->21170 21171 403026 21169->21171 21170->21171 21172 402e37 21171->21172 21173 403090 ExitProcess 21171->21173 21172->21044 21174 402160 21175 4027c6 RegQueryValueExA 21174->21175 18085 2c17bc2 18086 2c17bc6 18085->18086 18108 2c166f4 __crtGetStringTypeA_stat 18085->18108 18088 2c22eb4 59 API calls _free 18088->18108 18089 2c16708 Sleep 18090 2c1670e RtlEnterCriticalSection RtlLeaveCriticalSection 18089->18090 18090->18108 18091 2c172ab InternetOpenA 18092 2c172c9 InternetSetOptionA InternetSetOptionA InternetSetOptionA 18091->18092 18091->18108 18097 2c17342 __crtGetStringTypeA_stat 18092->18097 18093 2c17322 InternetOpenUrlA 18094 2c17382 InternetCloseHandle 18093->18094 18093->18097 18094->18108 18095 2c17346 InternetReadFile 18096 2c17377 InternetCloseHandle 18095->18096 18095->18097 18096->18094 18097->18093 18097->18095 18098 2c173e9 RtlEnterCriticalSection RtlLeaveCriticalSection 18130 2c2227c 18098->18130 18100 2c2227c 66 API calls 18100->18108 18103 2c1776a RtlEnterCriticalSection RtlLeaveCriticalSection 18103->18108 18105 2c22eec 59 API calls _malloc 18105->18108 18108->18088 18108->18089 18108->18090 18108->18091 18108->18098 18108->18100 18108->18103 18108->18105 18109 2c178e2 RtlEnterCriticalSection 18108->18109 18110 2c1790f RtlLeaveCriticalSection 18108->18110 18114 2c1a65c 73 API calls 18108->18114 18122 2c23529 60 API calls _strtok 18108->18122 18126 2c176ec Sleep 18108->18126 18128 2c176e7 shared_ptr 18108->18128 18140 2c22eec 18108->18140 18157 2c23a8f 18108->18157 18165 2c1a786 18108->18165 18169 2c15119 18108->18169 18198 2c1ab46 18108->18198 18208 2c161f5 18108->18208 18211 2c22358 18108->18211 18220 2c11ba7 18108->18220 18236 2c13d7e 18108->18236 18243 2c18272 18108->18243 18249 2c1d04e 18108->18249 18254 2c18321 18108->18254 18262 2c133b2 18108->18262 18269 2c1534d 18108->18269 18279 2c22790 18108->18279 18282 2c1966e 18108->18282 18297 2c18f3a 18108->18297 18109->18108 18109->18110 18229 2c13c67 18110->18229 18114->18108 18122->18108 18289 2c21830 18126->18289 18128->18108 18128->18126 18293 2c14100 18128->18293 18131 2c222ab 18130->18131 18132 2c22288 18130->18132 18310 2c222c3 18131->18310 18132->18131 18134 2c2228e 18132->18134 18304 2c25d9b 18134->18304 18135 2c222be 18135->18108 18141 2c22f67 18140->18141 18151 2c22ef8 18140->18151 18142 2c28143 __calloc_impl RtlDecodePointer 18141->18142 18143 2c22f6d 18142->18143 18144 2c25d9b _vscan_fn 58 API calls 18143->18144 18147 2c1749d RtlEnterCriticalSection RtlLeaveCriticalSection 18144->18147 18145 2c28613 __FF_MSGBANNER 58 API calls 18149 2c22f03 18145->18149 18146 2c22f2b RtlAllocateHeap 18146->18147 18146->18151 18147->18108 18148 2c28670 __NMSG_WRITE 58 API calls 18148->18149 18149->18145 18149->18148 18149->18151 18152 2c2825c _doexit 3 API calls 18149->18152 18150 2c22f53 18154 2c25d9b _vscan_fn 58 API calls 18150->18154 18151->18146 18151->18149 18151->18150 18153 2c28143 __calloc_impl RtlDecodePointer 18151->18153 18155 2c22f51 18151->18155 18152->18149 18153->18151 18154->18155 18156 2c25d9b _vscan_fn 58 API calls 18155->18156 18156->18147 18159 2c23a97 18157->18159 18158 2c22eec _malloc 59 API calls 18158->18159 18159->18158 18160 2c23ab1 18159->18160 18161 2c28143 __calloc_impl RtlDecodePointer 18159->18161 18162 2c23ab5 std::exception::exception 18159->18162 18160->18108 18161->18159 18903 2c2449a 18162->18903 18164 2c23adf 18166 2c1a790 __EH_prolog 18165->18166 18906 2c1df37 18166->18906 18168 2c1a7ae shared_ptr 18168->18108 18170 2c15123 __EH_prolog 18169->18170 18910 2c20a50 18170->18910 18173 2c13c67 72 API calls 18174 2c1514a 18173->18174 18175 2c13d7e 64 API calls 18174->18175 18176 2c15158 18175->18176 18177 2c18272 89 API calls 18176->18177 18178 2c1516c 18177->18178 18181 2c15322 shared_ptr 18178->18181 18914 2c1a65c 18178->18914 18181->18108 18182 2c151c4 18184 2c1a65c 73 API calls 18182->18184 18183 2c151f6 18185 2c1a65c 73 API calls 18183->18185 18192 2c151d4 18184->18192 18186 2c15207 18185->18186 18186->18181 18187 2c1a65c 73 API calls 18186->18187 18188 2c1524a 18187->18188 18188->18181 18191 2c1a65c 73 API calls 18188->18191 18189 2c1a65c 73 API calls 18190 2c152b4 18189->18190 18190->18181 18193 2c1a65c 73 API calls 18190->18193 18191->18192 18192->18181 18192->18189 18194 2c152da 18193->18194 18194->18181 18195 2c1a65c 73 API calls 18194->18195 18196 2c15304 18195->18196 18919 2c1ce10 18196->18919 18199 2c1ab50 __EH_prolog 18198->18199 19036 2c1d025 18199->19036 18201 2c1ab71 shared_ptr 19039 2c22030 18201->19039 18203 2c1ab88 18204 2c1ab9e 18203->18204 19045 2c13fb0 18203->19045 18204->18108 18209 2c22eec _malloc 59 API calls 18208->18209 18210 2c16208 18209->18210 18212 2c22374 18211->18212 18213 2c22389 18211->18213 18214 2c25d9b _vscan_fn 59 API calls 18212->18214 18213->18212 18218 2c22390 18213->18218 18215 2c22379 18214->18215 18216 2c24e35 _vscan_fn 9 API calls 18215->18216 18217 2c22384 18216->18217 18217->18108 18218->18217 19536 2c25e41 18218->19536 19737 2c35330 18220->19737 18222 2c11bb1 RtlEnterCriticalSection 18223 2c11be9 RtlLeaveCriticalSection 18222->18223 18225 2c11bd1 18222->18225 19738 2c1e267 18223->19738 18225->18223 18226 2c11c55 RtlLeaveCriticalSection 18225->18226 18226->18108 18227 2c11c22 18227->18226 18230 2c20a50 Mailbox 68 API calls 18229->18230 18231 2c13c7e 18230->18231 19820 2c13ca2 18231->19820 18237 2c13d99 htons 18236->18237 18238 2c13dcb htons 18236->18238 19847 2c13bd3 18237->19847 19853 2c13c16 18238->19853 18242 2c13ded 18242->18108 18244 2c1828a 18243->18244 18248 2c182ab 18243->18248 19884 2c19534 18244->19884 18247 2c182d0 18247->18108 18248->18247 19887 2c12ac7 18248->19887 18250 2c20a50 Mailbox 68 API calls 18249->18250 18252 2c1d064 18250->18252 18251 2c1d152 18251->18108 18252->18251 18253 2c12db5 73 API calls 18252->18253 18253->18252 18255 2c1833c WSASetLastError shutdown 18254->18255 18256 2c1832c 18254->18256 18258 2c1a440 69 API calls 18255->18258 18257 2c20a50 Mailbox 68 API calls 18256->18257 18259 2c18331 18257->18259 18260 2c18359 18258->18260 18259->18108 18260->18259 18261 2c20a50 Mailbox 68 API calls 18260->18261 18261->18259 18263 2c133e1 18262->18263 18264 2c133c4 InterlockedCompareExchange 18262->18264 18266 2c129ee 76 API calls 18263->18266 18264->18263 18265 2c133d6 18264->18265 19981 2c132ab 18265->19981 18268 2c133f1 18266->18268 18268->18108 18270 2c22eec _malloc 59 API calls 18269->18270 18271 2c15362 SHGetSpecialFolderPathA 18270->18271 18272 2c15378 18271->18272 20034 2c236b4 18272->20034 18275 2c153e2 18275->18108 18277 2c153dc 20050 2c239c7 18277->20050 20309 2c227ae 18279->20309 18281 2c227a9 18281->18108 18283 2c19678 __EH_prolog 18282->18283 18284 2c11ba7 210 API calls 18283->18284 18285 2c196cd 18284->18285 18286 2c196ea RtlEnterCriticalSection 18285->18286 18287 2c19705 18286->18287 18288 2c19708 RtlLeaveCriticalSection 18286->18288 18287->18288 18288->18108 18290 2c21861 18289->18290 18291 2c2183d 18289->18291 18290->18128 18291->18290 18292 2c21851 GetProcessHeap HeapFree 18291->18292 18292->18290 18294 2c14112 18293->18294 18295 2c14118 18293->18295 20315 2c1a63a 18294->20315 18295->18128 18298 2c18f44 __EH_prolog 18297->18298 20317 2c1373f 18298->20317 18300 2c18f5e RtlEnterCriticalSection 18301 2c18f6d RtlLeaveCriticalSection 18300->18301 18303 2c18fa7 18301->18303 18303->18108 18320 2c25bb2 GetLastError 18304->18320 18306 2c22293 18307 2c24e35 18306->18307 18599 2c24e0a RtlDecodePointer 18307->18599 18605 2c221bb 18310->18605 18313 2c222e5 18314 2c25d9b _vscan_fn 59 API calls 18313->18314 18315 2c222ea 18314->18315 18316 2c24e35 _vscan_fn 9 API calls 18315->18316 18318 2c222f5 ___ascii_stricmp 18316->18318 18317 2c258ba 66 API calls __tolower_l 18319 2c222fc 18317->18319 18318->18135 18319->18317 18319->18318 18334 2c2910b 18320->18334 18322 2c25bc7 18323 2c25c15 SetLastError 18322->18323 18337 2c289ac 18322->18337 18323->18306 18327 2c25bee 18328 2c25bf4 18327->18328 18329 2c25c0c 18327->18329 18346 2c25c21 18328->18346 18356 2c22eb4 18329->18356 18332 2c25c12 18332->18323 18333 2c25bfc GetCurrentThreadId 18333->18323 18335 2c29122 TlsGetValue 18334->18335 18336 2c2911e 18334->18336 18335->18322 18336->18322 18338 2c289b3 18337->18338 18340 2c25bda 18338->18340 18342 2c289d1 18338->18342 18362 2c303f8 18338->18362 18340->18323 18343 2c2912a 18340->18343 18342->18338 18342->18340 18370 2c29445 Sleep 18342->18370 18344 2c29140 18343->18344 18345 2c29144 TlsSetValue 18343->18345 18344->18327 18345->18327 18347 2c25c2d __fsopen 18346->18347 18373 2c2882d 18347->18373 18349 2c25c6a 18380 2c25cc2 18349->18380 18352 2c2882d __lock 59 API calls 18353 2c25c8b ___addlocaleref 18352->18353 18383 2c25ccb 18353->18383 18355 2c25cb6 __fsopen 18355->18333 18357 2c22ee6 _free 18356->18357 18358 2c22ebd HeapFree 18356->18358 18357->18332 18358->18357 18359 2c22ed2 18358->18359 18360 2c25d9b _vscan_fn 57 API calls 18359->18360 18361 2c22ed8 GetLastError 18360->18361 18361->18357 18363 2c30403 18362->18363 18367 2c3041e 18362->18367 18364 2c3040f 18363->18364 18363->18367 18366 2c25d9b _vscan_fn 58 API calls 18364->18366 18365 2c3042e RtlAllocateHeap 18365->18367 18368 2c30414 18365->18368 18366->18368 18367->18365 18367->18368 18371 2c28143 RtlDecodePointer 18367->18371 18368->18338 18370->18342 18372 2c28156 18371->18372 18372->18367 18374 2c28851 RtlEnterCriticalSection 18373->18374 18375 2c2883e 18373->18375 18374->18349 18386 2c288b5 18375->18386 18377 2c28844 18377->18374 18408 2c2837f 18377->18408 18597 2c28997 RtlLeaveCriticalSection 18380->18597 18382 2c25c84 18382->18352 18598 2c28997 RtlLeaveCriticalSection 18383->18598 18385 2c25cd2 18385->18355 18387 2c288c1 __fsopen 18386->18387 18388 2c288e0 18387->18388 18415 2c28613 18387->18415 18397 2c28903 __fsopen 18388->18397 18462 2c289f4 18388->18462 18394 2c288d6 18459 2c2825c 18394->18459 18395 2c288fe 18399 2c25d9b _vscan_fn 59 API calls 18395->18399 18396 2c2890d 18400 2c2882d __lock 59 API calls 18396->18400 18397->18377 18399->18397 18401 2c28914 18400->18401 18402 2c28921 18401->18402 18403 2c28939 18401->18403 18467 2c2914c 18402->18467 18405 2c22eb4 _free 59 API calls 18403->18405 18406 2c2892d 18405->18406 18470 2c28955 18406->18470 18409 2c28613 __FF_MSGBANNER 59 API calls 18408->18409 18410 2c28387 18409->18410 18411 2c28670 __NMSG_WRITE 59 API calls 18410->18411 18412 2c2838f 18411->18412 18567 2c2842e 18412->18567 18473 2c300be 18415->18473 18417 2c2861a 18418 2c28627 18417->18418 18419 2c300be __FF_MSGBANNER 59 API calls 18417->18419 18420 2c28670 __NMSG_WRITE 59 API calls 18418->18420 18422 2c28649 18418->18422 18419->18418 18421 2c2863f 18420->18421 18423 2c28670 __NMSG_WRITE 59 API calls 18421->18423 18424 2c28670 18422->18424 18423->18422 18425 2c2868e __NMSG_WRITE 18424->18425 18426 2c300be __FF_MSGBANNER 55 API calls 18425->18426 18458 2c287b5 18425->18458 18428 2c286a1 18426->18428 18430 2c287ba GetStdHandle 18428->18430 18431 2c300be __FF_MSGBANNER 55 API calls 18428->18431 18429 2c2881e 18429->18394 18434 2c287c8 _strlen 18430->18434 18430->18458 18432 2c286b2 18431->18432 18432->18430 18433 2c286c4 18432->18433 18433->18458 18480 2c2f47d 18433->18480 18436 2c28801 WriteFile 18434->18436 18434->18458 18436->18458 18438 2c28822 18539 2c24e45 IsProcessorFeaturePresent 18438->18539 18439 2c286f1 GetModuleFileNameW 18440 2c28711 18439->18440 18445 2c28721 __NMSG_WRITE 18439->18445 18442 2c2f47d __NMSG_WRITE 55 API calls 18440->18442 18442->18445 18445->18438 18452 2c28767 18445->18452 18489 2c2f4f2 18445->18489 18452->18438 18498 2c2f411 18452->18498 18532 2c2448b 18458->18532 18562 2c28228 GetModuleHandleExW 18459->18562 18466 2c28a02 18462->18466 18463 2c22eec _malloc 59 API calls 18463->18466 18464 2c288f7 18464->18395 18464->18396 18466->18463 18466->18464 18565 2c29445 Sleep 18466->18565 18468 2c29169 InitializeCriticalSectionAndSpinCount 18467->18468 18469 2c2915c 18467->18469 18468->18406 18469->18406 18566 2c28997 RtlLeaveCriticalSection 18470->18566 18472 2c2895c 18472->18397 18474 2c300c8 18473->18474 18475 2c25d9b _vscan_fn 59 API calls 18474->18475 18476 2c300d2 18474->18476 18477 2c300ee 18475->18477 18476->18417 18478 2c24e35 _vscan_fn 9 API calls 18477->18478 18479 2c300f9 18478->18479 18479->18417 18481 2c2f488 18480->18481 18483 2c2f496 18480->18483 18481->18483 18487 2c2f4af 18481->18487 18482 2c25d9b _vscan_fn 59 API calls 18484 2c2f4a0 18482->18484 18483->18482 18485 2c24e35 _vscan_fn 9 API calls 18484->18485 18486 2c286e4 18485->18486 18486->18438 18486->18439 18487->18486 18488 2c25d9b _vscan_fn 59 API calls 18487->18488 18488->18484 18494 2c2f500 18489->18494 18533 2c24493 18532->18533 18534 2c24495 IsProcessorFeaturePresent 18532->18534 18533->18429 18536 2c294cf 18534->18536 18545 2c2947e IsDebuggerPresent 18536->18545 18540 2c24e50 18539->18540 18553 2c24cd8 18540->18553 18546 2c29493 ___raise_securityfailure 18545->18546 18551 2c29468 SetUnhandledExceptionFilter UnhandledExceptionFilter 18546->18551 18548 2c2949b ___raise_securityfailure 18552 2c29453 GetCurrentProcess TerminateProcess 18548->18552 18550 2c294b8 18550->18429 18551->18548 18552->18550 18563 2c28241 GetProcAddress 18562->18563 18564 2c28253 ExitProcess 18562->18564 18563->18564 18565->18466 18566->18472 18570 2c284e4 18567->18570 18569 2c2839a 18571 2c284f0 __fsopen 18570->18571 18572 2c2882d __lock 52 API calls 18571->18572 18573 2c284f7 18572->18573 18574 2c285b0 _doexit 18573->18574 18576 2c28525 RtlDecodePointer 18573->18576 18590 2c285fe 18574->18590 18576->18574 18578 2c2853c RtlDecodePointer 18576->18578 18583 2c2854c 18578->18583 18579 2c2860d __fsopen 18579->18569 18581 2c28559 RtlEncodePointer 18581->18583 18582 2c285f5 18584 2c2825c _doexit 3 API calls 18582->18584 18583->18574 18583->18581 18585 2c28569 RtlDecodePointer RtlEncodePointer 18583->18585 18586 2c285fe 18584->18586 18587 2c2857b RtlDecodePointer RtlDecodePointer 18585->18587 18589 2c2860b 18586->18589 18595 2c28997 RtlLeaveCriticalSection 18586->18595 18587->18583 18589->18569 18591 2c28604 18590->18591 18592 2c285de 18590->18592 18596 2c28997 RtlLeaveCriticalSection 18591->18596 18592->18579 18594 2c28997 RtlLeaveCriticalSection 18592->18594 18594->18582 18595->18589 18596->18592 18597->18382 18598->18385 18600 2c24e1d 18599->18600 18601 2c24e45 __invoke_watson 8 API calls 18600->18601 18602 2c24e34 18601->18602 18603 2c24e0a _vscan_fn 8 API calls 18602->18603 18604 2c2229e 18603->18604 18604->18108 18606 2c221cc 18605->18606 18612 2c22219 18605->18612 18613 2c25b9a 18606->18613 18609 2c221f9 18609->18612 18633 2c25481 18609->18633 18612->18313 18612->18319 18614 2c25bb2 __getptd_noexit 59 API calls 18613->18614 18615 2c25ba0 18614->18615 18616 2c221d2 18615->18616 18617 2c2837f __amsg_exit 59 API calls 18615->18617 18616->18609 18618 2c250ff 18616->18618 18617->18616 18619 2c2510b __fsopen 18618->18619 18620 2c25b9a _LocaleUpdate::_LocaleUpdate 59 API calls 18619->18620 18621 2c25114 18620->18621 18622 2c25143 18621->18622 18624 2c25127 18621->18624 18623 2c2882d __lock 59 API calls 18622->18623 18625 2c2514a 18623->18625 18626 2c25b9a _LocaleUpdate::_LocaleUpdate 59 API calls 18624->18626 18645 2c2517f 18625->18645 18628 2c2512c 18626->18628 18631 2c2513a __fsopen 18628->18631 18632 2c2837f __amsg_exit 59 API calls 18628->18632 18631->18609 18632->18631 18634 2c2548d __fsopen 18633->18634 18635 2c25b9a _LocaleUpdate::_LocaleUpdate 59 API calls 18634->18635 18636 2c25497 18635->18636 18637 2c254a9 18636->18637 18638 2c2882d __lock 59 API calls 18636->18638 18639 2c254b7 __fsopen 18637->18639 18641 2c2837f __amsg_exit 59 API calls 18637->18641 18643 2c254c7 18638->18643 18639->18612 18640 2c254f4 18899 2c2551e 18640->18899 18641->18639 18643->18640 18644 2c22eb4 _free 59 API calls 18643->18644 18644->18640 18646 2c2518a ___addlocaleref ___removelocaleref 18645->18646 18648 2c2515e 18645->18648 18646->18648 18652 2c24f05 18646->18652 18649 2c25176 18648->18649 18898 2c28997 RtlLeaveCriticalSection 18649->18898 18651 2c2517d 18651->18628 18653 2c24f7e 18652->18653 18659 2c24f1a 18652->18659 18654 2c24fcb 18653->18654 18655 2c22eb4 _free 59 API calls 18653->18655 18678 2c24ff4 18654->18678 18722 2c2d47d 18654->18722 18657 2c24f9f 18655->18657 18662 2c22eb4 _free 59 API calls 18657->18662 18659->18653 18660 2c24f4b 18659->18660 18664 2c22eb4 _free 59 API calls 18659->18664 18661 2c24f69 18660->18661 18671 2c22eb4 _free 59 API calls 18660->18671 18667 2c22eb4 _free 59 API calls 18661->18667 18666 2c24fb2 18662->18666 18663 2c22eb4 _free 59 API calls 18663->18678 18669 2c24f40 18664->18669 18665 2c25053 18670 2c22eb4 _free 59 API calls 18665->18670 18672 2c22eb4 _free 59 API calls 18666->18672 18668 2c24f73 18667->18668 18673 2c22eb4 _free 59 API calls 18668->18673 18682 2c2d31a 18669->18682 18675 2c25059 18670->18675 18676 2c24f5e 18671->18676 18677 2c24fc0 18672->18677 18673->18653 18675->18648 18710 2c2d416 18676->18710 18680 2c22eb4 _free 59 API calls 18677->18680 18678->18665 18681 2c22eb4 59 API calls _free 18678->18681 18680->18654 18681->18678 18683 2c2d329 18682->18683 18709 2c2d412 18682->18709 18684 2c22eb4 _free 59 API calls 18683->18684 18685 2c2d33a 18683->18685 18684->18685 18686 2c22eb4 _free 59 API calls 18685->18686 18687 2c2d34c 18685->18687 18686->18687 18688 2c2d35e 18687->18688 18689 2c22eb4 _free 59 API calls 18687->18689 18690 2c2d370 18688->18690 18692 2c22eb4 _free 59 API calls 18688->18692 18689->18688 18691 2c2d382 18690->18691 18693 2c22eb4 _free 59 API calls 18690->18693 18694 2c2d394 18691->18694 18695 2c22eb4 _free 59 API calls 18691->18695 18692->18690 18693->18691 18696 2c2d3a6 18694->18696 18697 2c22eb4 _free 59 API calls 18694->18697 18695->18694 18698 2c2d3b8 18696->18698 18700 2c22eb4 _free 59 API calls 18696->18700 18697->18696 18699 2c2d3ca 18698->18699 18701 2c22eb4 _free 59 API calls 18698->18701 18702 2c2d3dc 18699->18702 18703 2c22eb4 _free 59 API calls 18699->18703 18700->18698 18701->18699 18704 2c2d3ee 18702->18704 18705 2c22eb4 _free 59 API calls 18702->18705 18703->18702 18706 2c2d400 18704->18706 18707 2c22eb4 _free 59 API calls 18704->18707 18705->18704 18708 2c22eb4 _free 59 API calls 18706->18708 18706->18709 18707->18706 18708->18709 18709->18660 18711 2c2d421 18710->18711 18721 2c2d479 18710->18721 18712 2c2d431 18711->18712 18713 2c22eb4 _free 59 API calls 18711->18713 18714 2c22eb4 _free 59 API calls 18712->18714 18715 2c2d443 18712->18715 18713->18712 18714->18715 18716 2c2d455 18715->18716 18718 2c22eb4 _free 59 API calls 18715->18718 18717 2c2d467 18716->18717 18719 2c22eb4 _free 59 API calls 18716->18719 18720 2c22eb4 _free 59 API calls 18717->18720 18717->18721 18718->18716 18719->18717 18720->18721 18721->18661 18723 2c24fe9 18722->18723 18724 2c2d48c 18722->18724 18723->18663 18725 2c22eb4 _free 59 API calls 18724->18725 18726 2c2d494 18725->18726 18727 2c22eb4 _free 59 API calls 18726->18727 18728 2c2d49c 18727->18728 18729 2c22eb4 _free 59 API calls 18728->18729 18730 2c2d4a4 18729->18730 18731 2c22eb4 _free 59 API calls 18730->18731 18732 2c2d4ac 18731->18732 18733 2c22eb4 _free 59 API calls 18732->18733 18734 2c2d4b4 18733->18734 18735 2c22eb4 _free 59 API calls 18734->18735 18736 2c2d4bc 18735->18736 18737 2c22eb4 _free 59 API calls 18736->18737 18738 2c2d4c3 18737->18738 18739 2c22eb4 _free 59 API calls 18738->18739 18740 2c2d4cb 18739->18740 18741 2c22eb4 _free 59 API calls 18740->18741 18742 2c2d4d3 18741->18742 18743 2c22eb4 _free 59 API calls 18742->18743 18744 2c2d4db 18743->18744 18898->18651 18902 2c28997 RtlLeaveCriticalSection 18899->18902 18901 2c25525 18901->18637 18902->18901 18905 2c244b9 RaiseException 18903->18905 18905->18164 18907 2c1df41 __EH_prolog 18906->18907 18908 2c23a8f _Allocate 60 API calls 18907->18908 18909 2c1df58 18908->18909 18909->18168 18911 2c1513d 18910->18911 18912 2c20a79 18910->18912 18911->18173 18924 2c232e7 18912->18924 18915 2c20a50 Mailbox 68 API calls 18914->18915 18918 2c1a676 18915->18918 18916 2c1519d 18916->18181 18916->18182 18916->18183 18918->18916 18990 2c12db5 18918->18990 18920 2c20a50 Mailbox 68 API calls 18919->18920 18921 2c1ce2a 18920->18921 18922 2c1cf39 18921->18922 19017 2c12b95 18921->19017 18922->18181 18927 2c231eb 18924->18927 18926 2c232f2 18926->18911 18928 2c231f7 __fsopen 18927->18928 18935 2c284d2 18928->18935 18934 2c2321e __fsopen 18934->18926 18936 2c2882d __lock 59 API calls 18935->18936 18937 2c23200 18936->18937 18938 2c2322f RtlDecodePointer RtlDecodePointer 18937->18938 18939 2c2320c 18938->18939 18940 2c2325c 18938->18940 18949 2c23229 18939->18949 18940->18939 18952 2c2909d 18940->18952 18942 2c232bf RtlEncodePointer RtlEncodePointer 18942->18939 18943 2c23293 18943->18939 18946 2c28a3b __realloc_crt 62 API calls 18943->18946 18948 2c232ad RtlEncodePointer 18943->18948 18944 2c2326e 18944->18942 18944->18943 18959 2c28a3b 18944->18959 18947 2c232a7 18946->18947 18947->18939 18947->18948 18948->18942 18986 2c284db 18949->18986 18953 2c290a6 18952->18953 18954 2c290bb RtlSizeHeap 18952->18954 18955 2c25d9b _vscan_fn 59 API calls 18953->18955 18954->18944 18956 2c290ab 18955->18956 18957 2c24e35 _vscan_fn 9 API calls 18956->18957 18958 2c290b6 18957->18958 18958->18944 18961 2c28a42 18959->18961 18962 2c28a7f 18961->18962 18964 2c302e4 18961->18964 18985 2c29445 Sleep 18961->18985 18962->18943 18965 2c302f8 18964->18965 18966 2c302ed 18964->18966 18967 2c30300 18965->18967 18977 2c3030d 18965->18977 18968 2c22eec _malloc 59 API calls 18966->18968 18970 2c22eb4 _free 59 API calls 18967->18970 18969 2c302f5 18968->18969 18969->18961 18982 2c30308 _free 18970->18982 18971 2c30345 18973 2c28143 __calloc_impl RtlDecodePointer 18971->18973 18972 2c30315 RtlReAllocateHeap 18972->18977 18972->18982 18974 2c3034b 18973->18974 18975 2c25d9b _vscan_fn 59 API calls 18974->18975 18975->18982 18976 2c30375 18979 2c25d9b _vscan_fn 59 API calls 18976->18979 18977->18971 18977->18972 18977->18976 18978 2c28143 __calloc_impl RtlDecodePointer 18977->18978 18981 2c3035d 18977->18981 18978->18977 18980 2c3037a GetLastError 18979->18980 18980->18982 18983 2c25d9b _vscan_fn 59 API calls 18981->18983 18982->18961 18984 2c30362 GetLastError 18983->18984 18984->18982 18985->18961 18989 2c28997 RtlLeaveCriticalSection 18986->18989 18988 2c2322e 18988->18934 18989->18988 18991 2c12de4 18990->18991 18992 2c12dca 18990->18992 18994 2c12dfc 18991->18994 18996 2c12def 18991->18996 18993 2c20a50 Mailbox 68 API calls 18992->18993 18995 2c12dcf 18993->18995 19004 2c12d39 WSASetLastError WSASend 18994->19004 18995->18918 18998 2c20a50 Mailbox 68 API calls 18996->18998 18998->18995 18999 2c12e54 WSASetLastError select 19014 2c1a440 18999->19014 19000 2c12e0c 19000->18995 19000->18999 19002 2c20a50 68 API calls Mailbox 19000->19002 19003 2c12d39 71 API calls 19000->19003 19002->19000 19003->19000 19005 2c1a440 69 API calls 19004->19005 19006 2c12d6e 19005->19006 19007 2c12d82 19006->19007 19008 2c12d75 19006->19008 19010 2c20a50 Mailbox 68 API calls 19007->19010 19012 2c12d7a 19007->19012 19009 2c20a50 Mailbox 68 API calls 19008->19009 19009->19012 19010->19012 19011 2c12d9c 19011->19000 19012->19011 19013 2c20a50 Mailbox 68 API calls 19012->19013 19013->19011 19015 2c20a50 Mailbox 68 API calls 19014->19015 19016 2c1a44c WSAGetLastError 19015->19016 19016->19000 19018 2c12bb1 19017->19018 19019 2c12bc7 19017->19019 19020 2c20a50 Mailbox 68 API calls 19018->19020 19022 2c12bd2 19019->19022 19031 2c12bdf 19019->19031 19021 2c12bb6 19020->19021 19021->18921 19024 2c20a50 Mailbox 68 API calls 19022->19024 19023 2c12be2 WSASetLastError WSARecv 19025 2c1a440 69 API calls 19023->19025 19024->19021 19025->19031 19026 2c20a50 68 API calls Mailbox 19026->19031 19027 2c12d22 19032 2c11996 19027->19032 19029 2c12cbc WSASetLastError select 19030 2c1a440 69 API calls 19029->19030 19030->19031 19031->19021 19031->19023 19031->19026 19031->19027 19031->19029 19033 2c119bb 19032->19033 19034 2c1199f 19032->19034 19033->19021 19035 2c232e7 __cinit 68 API calls 19034->19035 19035->19033 19058 2c1e1b7 19036->19058 19038 2c1d037 19038->18201 19140 2c232fc 19039->19140 19041 2c22054 19041->18203 19043 2c2207d ResumeThread 19043->18203 19044 2c22076 CloseHandle 19044->19043 19046 2c20a50 Mailbox 68 API calls 19045->19046 19047 2c13fb8 19046->19047 19507 2c11815 19047->19507 19050 2c1a5c2 19051 2c1a5cc __EH_prolog 19050->19051 19513 2c1cb7a 19051->19513 19059 2c1e1c1 __EH_prolog 19058->19059 19064 2c14030 19059->19064 19063 2c1e1ef 19063->19038 19076 2c35330 19064->19076 19066 2c1403a GetProcessHeap RtlAllocateHeap 19067 2c14053 std::exception::exception 19066->19067 19068 2c1407c 19066->19068 19077 2c1a601 19067->19077 19068->19063 19070 2c1408a 19068->19070 19071 2c14094 __EH_prolog 19070->19071 19121 2c1a220 19071->19121 19076->19066 19078 2c1a60b __EH_prolog 19077->19078 19085 2c1cbb0 19078->19085 19083 2c2449a __CxxThrowException@8 RaiseException 19084 2c1a639 19083->19084 19091 2c1d710 19085->19091 19088 2c1cbca 19113 2c1d748 19088->19113 19090 2c1a628 19090->19083 19094 2c22453 19091->19094 19097 2c22481 19094->19097 19098 2c2248f 19097->19098 19102 2c1a61a 19097->19102 19103 2c22517 19098->19103 19102->19088 19104 2c22520 19103->19104 19105 2c22494 19103->19105 19106 2c22eb4 _free 59 API calls 19104->19106 19105->19102 19107 2c224d9 19105->19107 19106->19105 19108 2c224e5 _strlen 19107->19108 19111 2c2250a 19107->19111 19109 2c22eec _malloc 59 API calls 19108->19109 19110 2c224f7 19109->19110 19110->19111 19112 2c26bfc __setenvp 59 API calls 19110->19112 19111->19102 19112->19111 19114 2c1d752 __EH_prolog 19113->19114 19117 2c1b673 19114->19117 19116 2c1d789 Mailbox 19116->19090 19118 2c1b67d __EH_prolog 19117->19118 19119 2c22453 std::exception::exception 59 API calls 19118->19119 19120 2c1b68e Mailbox 19119->19120 19120->19116 19132 2c1b037 19121->19132 19124 2c13fdc 19139 2c35330 19124->19139 19126 2c13fe6 CreateEventA 19127 2c13ffd 19126->19127 19128 2c1400f 19126->19128 19129 2c13fb0 Mailbox 68 API calls 19127->19129 19128->19063 19130 2c14005 19129->19130 19131 2c1a5c2 Mailbox 60 API calls 19130->19131 19131->19128 19133 2c1b043 19132->19133 19134 2c140c1 19132->19134 19135 2c23a8f _Allocate 60 API calls 19133->19135 19136 2c1b053 std::exception::exception 19133->19136 19134->19124 19135->19136 19136->19134 19137 2c2449a __CxxThrowException@8 RaiseException 19136->19137 19138 2c1fa68 19137->19138 19139->19126 19141 2c2330a 19140->19141 19142 2c2331e 19140->19142 19144 2c25d9b _vscan_fn 59 API calls 19141->19144 19143 2c289ac __calloc_crt 59 API calls 19142->19143 19145 2c2332b 19143->19145 19146 2c2330f 19144->19146 19147 2c2337c 19145->19147 19149 2c25b9a _LocaleUpdate::_LocaleUpdate 59 API calls 19145->19149 19148 2c24e35 _vscan_fn 9 API calls 19146->19148 19150 2c22eb4 _free 59 API calls 19147->19150 19154 2c2204b 19148->19154 19151 2c23338 19149->19151 19152 2c23382 19150->19152 19153 2c25c21 __initptd 59 API calls 19151->19153 19152->19154 19159 2c25d7a 19152->19159 19156 2c23341 CreateThread 19153->19156 19154->19041 19154->19043 19154->19044 19156->19154 19158 2c23374 GetLastError 19156->19158 19167 2c2345c 19156->19167 19158->19147 19164 2c25d67 19159->19164 19161 2c25d83 _free 19162 2c25d9b _vscan_fn 59 API calls 19161->19162 19163 2c25d96 19162->19163 19163->19154 19165 2c25bb2 __getptd_noexit 59 API calls 19164->19165 19166 2c25d6c 19165->19166 19166->19161 19168 2c23465 __threadstartex@4 19167->19168 19169 2c2910b __CRT_INIT@12 TlsGetValue 19168->19169 19170 2c2346b 19169->19170 19171 2c23472 __threadstartex@4 19170->19171 19172 2c2349e 19170->19172 19175 2c2912a __CRT_INIT@12 TlsSetValue 19171->19175 19199 2c25a2f 19172->19199 19174 2c234b9 ___crtIsPackagedApp 19179 2c234cd 19174->19179 19183 2c23404 19174->19183 19176 2c23481 19175->19176 19177 2c23487 GetLastError RtlExitUserThread 19176->19177 19178 2c23494 GetCurrentThreadId 19176->19178 19177->19178 19178->19174 19189 2c23395 19179->19189 19184 2c23446 RtlDecodePointer 19183->19184 19185 2c2340d LoadLibraryExW GetProcAddress 19183->19185 19188 2c23456 19184->19188 19186 2c23430 RtlEncodePointer 19185->19186 19187 2c2342f 19185->19187 19186->19184 19187->19179 19188->19179 19190 2c233a1 __fsopen 19189->19190 19191 2c25b9a _LocaleUpdate::_LocaleUpdate 59 API calls 19190->19191 19192 2c233a6 19191->19192 19231 2c220a0 19192->19231 19201 2c25a3b __fsopen 19199->19201 19200 2c25a54 19204 2c25a63 19200->19204 19205 2c22eb4 _free 59 API calls 19200->19205 19201->19200 19202 2c25b43 __fsopen 19201->19202 19203 2c22eb4 _free 59 API calls 19201->19203 19202->19174 19203->19200 19206 2c22eb4 _free 59 API calls 19204->19206 19207 2c25a72 19204->19207 19205->19204 19206->19207 19208 2c22eb4 _free 59 API calls 19207->19208 19210 2c25a81 19207->19210 19208->19210 19209 2c25a90 19212 2c25a9f 19209->19212 19213 2c22eb4 _free 59 API calls 19209->19213 19210->19209 19211 2c22eb4 _free 59 API calls 19210->19211 19211->19209 19214 2c25aae 19212->19214 19216 2c22eb4 _free 59 API calls 19212->19216 19213->19212 19215 2c25ac0 19214->19215 19217 2c22eb4 _free 59 API calls 19214->19217 19218 2c2882d __lock 59 API calls 19215->19218 19216->19214 19217->19215 19221 2c25ac8 19218->19221 19219 2c25aeb 19499 2c25b4f 19219->19499 19221->19219 19224 2c22eb4 _free 59 API calls 19221->19224 19223 2c2882d __lock 59 API calls 19229 2c25aff ___removelocaleref 19223->19229 19224->19219 19249 2c21550 19231->19249 19234 2c220f0 19271 2c1dceb 19234->19271 19235 2c220e8 TlsSetValue 19235->19234 19252 2c215b4 19249->19252 19250 2c21630 19251 2c21646 19250->19251 19254 2c21643 CloseHandle 19250->19254 19256 2c2448b ___crt_atoflt_l 6 API calls 19251->19256 19252->19250 19253 2c215cc 19252->19253 19259 2c216dc WaitForSingleObject 19252->19259 19266 2c216b0 CreateEventA 19252->19266 19268 2c21b50 GetCurrentProcessId 19252->19268 19270 2c216ce CloseHandle 19252->19270 19255 2c2160e ResetEvent 19253->19255 19260 2c215e5 OpenEventA 19253->19260 19287 2c21b50 19253->19287 19254->19251 19258 2c21615 19255->19258 19257 2c2165e 19256->19257 19257->19234 19257->19235 19291 2c21790 19258->19291 19259->19252 19261 2c21607 19260->19261 19262 2c215ff 19260->19262 19261->19255 19261->19258 19262->19261 19265 2c21604 CloseHandle 19262->19265 19265->19261 19266->19252 19268->19252 19270->19252 19301 2c20bb0 19287->19301 19289 2c21ba2 GetCurrentProcessId 19290 2c21bb5 19289->19290 19296 2c2179f 19291->19296 19292 2c217f7 19295 2c217d5 CreateEventA 19295->19292 19296->19292 19296->19295 19298 2c21b50 GetCurrentProcessId 19296->19298 19301->19289 19505 2c28997 RtlLeaveCriticalSection 19499->19505 19501 2c25af8 19501->19223 19505->19501 19510 2c22413 19507->19510 19511 2c224d9 std::exception::_Copy_str 59 API calls 19510->19511 19512 2c1182a 19511->19512 19512->19050 19519 2c1d641 19513->19519 19516 2c1cb94 19528 2c1d679 19516->19528 19522 2c1b165 19519->19522 19523 2c1b16f __EH_prolog 19522->19523 19524 2c22453 std::exception::exception 59 API calls 19523->19524 19525 2c1b180 19524->19525 19526 2c17c35 std::bad_exception::bad_exception 60 API calls 19525->19526 19527 2c1a5e1 19526->19527 19527->19516 19529 2c1d683 __EH_prolog 19528->19529 19532 2c1b55d 19529->19532 19533 2c1b567 __EH_prolog 19532->19533 19534 2c1b165 std::bad_exception::bad_exception 60 API calls 19533->19534 19557 2c29d71 19536->19557 19538 2c25e4f 19539 2c25e71 19538->19539 19540 2c25e5a 19538->19540 19542 2c25e76 19539->19542 19547 2c25e83 __flsbuf 19539->19547 19541 2c25d9b _vscan_fn 59 API calls 19540->19541 19544 2c25e5f 19541->19544 19543 2c25d9b _vscan_fn 59 API calls 19542->19543 19543->19544 19544->18217 19545 2c25f61 19549 2c29d95 __write 79 API calls 19545->19549 19546 2c25ee7 19548 2c25f01 19546->19548 19551 2c25f18 19546->19551 19547->19544 19553 2c25ed2 19547->19553 19556 2c25edd 19547->19556 19564 2c2f6e2 19547->19564 19576 2c29d95 19548->19576 19549->19544 19551->19544 19604 2c2f736 19551->19604 19553->19556 19573 2c2f8a5 19553->19573 19556->19545 19556->19546 19558 2c29d90 19557->19558 19559 2c29d7b 19557->19559 19558->19538 19560 2c25d9b _vscan_fn 59 API calls 19559->19560 19561 2c29d80 19560->19561 19562 2c24e35 _vscan_fn 9 API calls 19561->19562 19563 2c29d8b 19562->19563 19563->19538 19565 2c2f6fa 19564->19565 19566 2c2f6ed 19564->19566 19568 2c2f706 19565->19568 19569 2c25d9b _vscan_fn 59 API calls 19565->19569 19567 2c25d9b _vscan_fn 59 API calls 19566->19567 19570 2c2f6f2 19567->19570 19568->19553 19571 2c2f727 19569->19571 19570->19553 19572 2c24e35 _vscan_fn 9 API calls 19571->19572 19572->19570 19574 2c289f4 __malloc_crt 59 API calls 19573->19574 19575 2c2f8ba 19574->19575 19575->19556 19577 2c29da1 __fsopen 19576->19577 19578 2c29dc5 19577->19578 19579 2c29dae 19577->19579 19581 2c29e64 19578->19581 19583 2c29dd9 19578->19583 19580 2c25d67 __read_nolock 59 API calls 19579->19580 19582 2c29db3 19580->19582 19584 2c25d67 __read_nolock 59 API calls 19581->19584 19585 2c25d9b _vscan_fn 59 API calls 19582->19585 19586 2c29e01 19583->19586 19587 2c29df7 19583->19587 19588 2c29dfc 19584->19588 19599 2c29dba __fsopen 19585->19599 19629 2c30bc7 19586->19629 19589 2c25d67 __read_nolock 59 API calls 19587->19589 19592 2c25d9b _vscan_fn 59 API calls 19588->19592 19589->19588 19591 2c29e07 19593 2c29e1a 19591->19593 19594 2c29e2d 19591->19594 19595 2c29e70 19592->19595 19638 2c29e84 19593->19638 19598 2c25d9b _vscan_fn 59 API calls 19594->19598 19597 2c24e35 _vscan_fn 9 API calls 19595->19597 19597->19599 19601 2c29e32 19598->19601 19599->19544 19600 2c29e26 19697 2c29e5c 19600->19697 19602 2c25d67 __read_nolock 59 API calls 19601->19602 19602->19600 19605 2c2f742 __fsopen 19604->19605 19606 2c2f753 19605->19606 19609 2c2f76b 19605->19609 19608 2c25d67 __read_nolock 59 API calls 19606->19608 19607 2c2f810 19610 2c25d67 __read_nolock 59 API calls 19607->19610 19611 2c2f758 19608->19611 19609->19607 19612 2c2f7a0 19609->19612 19613 2c2f815 19610->19613 19614 2c25d9b _vscan_fn 59 API calls 19611->19614 19615 2c30bc7 ___lock_fhandle 60 API calls 19612->19615 19616 2c25d9b _vscan_fn 59 API calls 19613->19616 19623 2c2f760 __fsopen 19614->19623 19617 2c2f7a6 19615->19617 19618 2c2f81d 19616->19618 19619 2c2f7d4 19617->19619 19620 2c2f7bc 19617->19620 19621 2c24e35 _vscan_fn 9 API calls 19618->19621 19624 2c25d9b _vscan_fn 59 API calls 19619->19624 19622 2c2f832 __lseeki64_nolock 61 API calls 19620->19622 19621->19623 19625 2c2f7cb 19622->19625 19623->19544 19626 2c2f7d9 19624->19626 19733 2c2f808 19625->19733 19627 2c25d67 __read_nolock 59 API calls 19626->19627 19627->19625 19630 2c30bd3 __fsopen 19629->19630 19631 2c30c22 RtlEnterCriticalSection 19630->19631 19633 2c2882d __lock 59 API calls 19630->19633 19632 2c30c48 __fsopen 19631->19632 19632->19591 19634 2c30bf8 19633->19634 19635 2c30c10 19634->19635 19637 2c2914c ___lock_fhandle InitializeCriticalSectionAndSpinCount 19634->19637 19700 2c30c4c 19635->19700 19637->19635 19639 2c29e91 __write_nolock 19638->19639 19640 2c29ed0 19639->19640 19641 2c29eef 19639->19641 19671 2c29ec5 19639->19671 19643 2c25d67 __read_nolock 59 API calls 19640->19643 19644 2c29f47 19641->19644 19645 2c29f2b 19641->19645 19642 2c2448b ___crt_atoflt_l 6 API calls 19646 2c2a6e5 19642->19646 19647 2c29ed5 19643->19647 19649 2c29f60 19644->19649 19704 2c2f832 19644->19704 19648 2c25d67 __read_nolock 59 API calls 19645->19648 19646->19600 19650 2c25d9b _vscan_fn 59 API calls 19647->19650 19651 2c29f30 19648->19651 19654 2c2f6e2 __read_nolock 59 API calls 19649->19654 19653 2c29edc 19650->19653 19656 2c25d9b _vscan_fn 59 API calls 19651->19656 19657 2c24e35 _vscan_fn 9 API calls 19653->19657 19655 2c29f6e 19654->19655 19658 2c2a2c7 19655->19658 19663 2c25b9a _LocaleUpdate::_LocaleUpdate 59 API calls 19655->19663 19659 2c29f37 19656->19659 19657->19671 19660 2c2a2e5 19658->19660 19661 2c2a65a WriteFile 19658->19661 19662 2c24e35 _vscan_fn 9 API calls 19659->19662 19664 2c2a409 19660->19664 19674 2c2a2fb 19660->19674 19665 2c2a2ba GetLastError 19661->19665 19672 2c2a287 19661->19672 19662->19671 19666 2c29f9a GetConsoleMode 19663->19666 19668 2c2a414 19664->19668 19669 2c2a4fe 19664->19669 19665->19672 19666->19658 19670 2c29fd9 19666->19670 19667 2c2a693 19667->19671 19676 2c25d9b _vscan_fn 59 API calls 19667->19676 19668->19667 19668->19672 19683 2c2a479 WriteFile 19668->19683 19669->19667 19669->19672 19682 2c2a573 WideCharToMultiByte 19669->19682 19687 2c2a5c2 WriteFile 19669->19687 19670->19658 19673 2c29fe9 GetConsoleCP 19670->19673 19671->19642 19672->19667 19672->19671 19677 2c2a3e7 19672->19677 19673->19667 19693 2c2a018 19673->19693 19674->19667 19674->19672 19675 2c2a36a WriteFile 19674->19675 19675->19665 19675->19674 19678 2c2a6c1 19676->19678 19680 2c2a3f2 19677->19680 19681 2c2a68a 19677->19681 19679 2c25d67 __read_nolock 59 API calls 19678->19679 19679->19671 19684 2c25d9b _vscan_fn 59 API calls 19680->19684 19685 2c25d7a __dosmaperr 59 API calls 19681->19685 19682->19665 19682->19669 19683->19665 19683->19668 19686 2c2a3f7 19684->19686 19685->19671 19688 2c25d67 __read_nolock 59 API calls 19686->19688 19687->19669 19690 2c2a615 GetLastError 19687->19690 19688->19671 19690->19669 19691 2c2ff4a 61 API calls __write_nolock 19691->19693 19692 2c30f93 WriteConsoleW CreateFileW __putwch_nolock 19692->19693 19693->19665 19693->19672 19693->19691 19693->19692 19694 2c2a101 WideCharToMultiByte 19693->19694 19696 2c2a196 WriteFile 19693->19696 19713 2c2dc88 19693->19713 19694->19672 19695 2c2a13c WriteFile 19694->19695 19695->19665 19695->19693 19696->19665 19696->19693 19732 2c30f6d RtlLeaveCriticalSection 19697->19732 19699 2c29e62 19699->19599 19703 2c28997 RtlLeaveCriticalSection 19700->19703 19702 2c30c53 19702->19631 19703->19702 19716 2c30e84 19704->19716 19706 2c2f842 19707 2c2f84a 19706->19707 19708 2c2f85b SetFilePointerEx 19706->19708 19709 2c25d9b _vscan_fn 59 API calls 19707->19709 19710 2c2f873 GetLastError 19708->19710 19711 2c2f84f 19708->19711 19709->19711 19712 2c25d7a __dosmaperr 59 API calls 19710->19712 19711->19649 19712->19711 19729 2c2dc4e 19713->19729 19717 2c30ea4 19716->19717 19718 2c30e8f 19716->19718 19720 2c25d67 __read_nolock 59 API calls 19717->19720 19722 2c30ec9 19717->19722 19719 2c25d67 __read_nolock 59 API calls 19718->19719 19721 2c30e94 19719->19721 19723 2c30ed3 19720->19723 19724 2c25d9b _vscan_fn 59 API calls 19721->19724 19722->19706 19725 2c25d9b _vscan_fn 59 API calls 19723->19725 19727 2c30e9c 19724->19727 19726 2c30edb 19725->19726 19728 2c24e35 _vscan_fn 9 API calls 19726->19728 19727->19706 19728->19727 19730 2c221bb _LocaleUpdate::_LocaleUpdate 59 API calls 19729->19730 19731 2c2dc5f 19730->19731 19731->19693 19732->19699 19736 2c30f6d RtlLeaveCriticalSection 19733->19736 19735 2c2f80e 19735->19623 19736->19735 19737->18222 19739 2c1e271 __EH_prolog 19738->19739 19740 2c23a8f _Allocate 60 API calls 19739->19740 19741 2c1e27a 19740->19741 19742 2c11bfa RtlEnterCriticalSection 19741->19742 19744 2c1e488 19741->19744 19742->18227 19745 2c1e492 __EH_prolog 19744->19745 19748 2c126db RtlEnterCriticalSection 19745->19748 19747 2c1e4e8 19747->19742 19749 2c12728 CreateWaitableTimerA 19748->19749 19750 2c1277e 19748->19750 19752 2c12738 GetLastError 19749->19752 19753 2c1275b SetWaitableTimer 19749->19753 19751 2c127d5 RtlLeaveCriticalSection 19750->19751 19754 2c23a8f _Allocate 60 API calls 19750->19754 19751->19747 19755 2c20a50 Mailbox 68 API calls 19752->19755 19753->19750 19756 2c1278a 19754->19756 19757 2c12745 19755->19757 19759 2c23a8f _Allocate 60 API calls 19756->19759 19760 2c127c8 19756->19760 19792 2c11712 19757->19792 19761 2c127a9 19759->19761 19798 2c17d3a 19760->19798 19764 2c11cf8 CreateEventA 19761->19764 19765 2c11d23 GetLastError 19764->19765 19766 2c11d52 CreateEventA 19764->19766 19770 2c11d33 19765->19770 19767 2c11d6b GetLastError 19766->19767 19768 2c11d96 19766->19768 19773 2c11d7b 19767->19773 19769 2c232fc __beginthreadex 201 API calls 19768->19769 19771 2c11db6 19769->19771 19772 2c20a50 Mailbox 68 API calls 19770->19772 19775 2c11dc6 GetLastError 19771->19775 19776 2c11e0d 19771->19776 19777 2c11d3c 19772->19777 19774 2c20a50 Mailbox 68 API calls 19773->19774 19778 2c11d84 19774->19778 19783 2c11dd8 19775->19783 19779 2c11e11 WaitForSingleObject CloseHandle 19776->19779 19780 2c11e1d 19776->19780 19781 2c11712 60 API calls 19777->19781 19782 2c11712 60 API calls 19778->19782 19779->19780 19780->19760 19784 2c11d4e 19781->19784 19782->19768 19785 2c11ddc CloseHandle 19783->19785 19786 2c11ddf 19783->19786 19784->19766 19785->19786 19787 2c11de9 CloseHandle 19786->19787 19788 2c11dee 19786->19788 19787->19788 19789 2c20a50 Mailbox 68 API calls 19788->19789 19790 2c11dfb 19789->19790 19791 2c11712 60 API calls 19790->19791 19791->19776 19793 2c1171c __EH_prolog 19792->19793 19794 2c1173e 19793->19794 19795 2c11815 Mailbox 59 API calls 19793->19795 19794->19753 19796 2c11732 19795->19796 19801 2c1a3d9 19796->19801 19799 2c17d56 19798->19799 19800 2c17d47 CloseHandle 19798->19800 19799->19751 19800->19799 19802 2c1a3e3 __EH_prolog 19801->19802 19809 2c1c93e 19802->19809 19806 2c1a404 19807 2c2449a __CxxThrowException@8 RaiseException 19806->19807 19808 2c1a412 19807->19808 19810 2c1b165 std::bad_exception::bad_exception 60 API calls 19809->19810 19811 2c1a3f6 19810->19811 19812 2c1c97a 19811->19812 19813 2c1c984 __EH_prolog 19812->19813 19816 2c1b114 19813->19816 19815 2c1c9b3 Mailbox 19815->19806 19817 2c1b11e __EH_prolog 19816->19817 19818 2c1b165 std::bad_exception::bad_exception 60 API calls 19817->19818 19819 2c1b12f Mailbox 19818->19819 19819->19815 19831 2c130ae WSASetLastError 19820->19831 19823 2c130ae 71 API calls 19824 2c13c90 19823->19824 19825 2c116ae 19824->19825 19826 2c116b8 __EH_prolog 19825->19826 19827 2c11701 19826->19827 19828 2c22413 std::exception::exception 59 API calls 19826->19828 19827->18108 19829 2c116dc 19828->19829 19830 2c1a3d9 60 API calls 19829->19830 19830->19827 19832 2c130ec WSAStringToAddressA 19831->19832 19833 2c130ce 19831->19833 19835 2c1a440 69 API calls 19832->19835 19833->19832 19834 2c130d3 19833->19834 19836 2c20a50 Mailbox 68 API calls 19834->19836 19837 2c13114 19835->19837 19842 2c130d8 19836->19842 19838 2c13154 19837->19838 19839 2c1311e _memcmp 19837->19839 19840 2c13135 19838->19840 19843 2c20a50 Mailbox 68 API calls 19838->19843 19839->19840 19845 2c20a50 Mailbox 68 API calls 19839->19845 19841 2c13193 19840->19841 19844 2c20a50 Mailbox 68 API calls 19840->19844 19841->19842 19846 2c20a50 Mailbox 68 API calls 19841->19846 19842->19823 19842->19824 19843->19840 19844->19841 19845->19840 19846->19842 19848 2c13bdd __EH_prolog 19847->19848 19849 2c13bfe htonl htonl 19848->19849 19859 2c223f7 19848->19859 19849->18242 19854 2c13c20 __EH_prolog 19853->19854 19855 2c13c41 19854->19855 19856 2c223f7 std::bad_exception::bad_exception 59 API calls 19854->19856 19855->18242 19857 2c13c35 19856->19857 19858 2c1a58e 60 API calls 19857->19858 19858->19855 19860 2c22413 std::exception::exception 59 API calls 19859->19860 19861 2c13bf2 19860->19861 19862 2c1a58e 19861->19862 19863 2c1a598 __EH_prolog 19862->19863 19870 2c1cab1 19863->19870 19867 2c1a5b3 19868 2c2449a __CxxThrowException@8 RaiseException 19867->19868 19869 2c1a5c1 19868->19869 19877 2c223dc 19870->19877 19873 2c1caed 19874 2c1caf7 __EH_prolog 19873->19874 19880 2c1b483 19874->19880 19876 2c1cb26 Mailbox 19876->19867 19878 2c22453 std::exception::exception 59 API calls 19877->19878 19879 2c1a5a5 19878->19879 19879->19873 19881 2c1b48d __EH_prolog 19880->19881 19882 2c223dc std::bad_exception::bad_exception 59 API calls 19881->19882 19883 2c1b49e Mailbox 19882->19883 19883->19876 19905 2c1353e 19884->19905 19888 2c12ae8 WSASetLastError connect 19887->19888 19889 2c12ad8 19887->19889 19891 2c1a440 69 API calls 19888->19891 19890 2c20a50 Mailbox 68 API calls 19889->19890 19892 2c12add 19890->19892 19893 2c12b07 19891->19893 19894 2c20a50 Mailbox 68 API calls 19892->19894 19893->19892 19895 2c20a50 Mailbox 68 API calls 19893->19895 19896 2c12b1b 19894->19896 19895->19892 19897 2c20a50 Mailbox 68 API calls 19896->19897 19901 2c12b38 19896->19901 19897->19901 19900 2c12b87 19900->18247 19901->19900 19965 2c13027 19901->19965 19904 2c20a50 Mailbox 68 API calls 19904->19900 19906 2c13548 __EH_prolog 19905->19906 19907 2c13557 19906->19907 19908 2c13576 19906->19908 19909 2c11996 68 API calls 19907->19909 19927 2c12edd WSASetLastError WSASocketA 19908->19927 19913 2c1355f 19909->19913 19912 2c135ad CreateIoCompletionPort 19914 2c135c5 GetLastError 19912->19914 19915 2c135db 19912->19915 19913->18248 19916 2c20a50 Mailbox 68 API calls 19914->19916 19917 2c20a50 Mailbox 68 API calls 19915->19917 19918 2c135d2 19916->19918 19917->19918 19919 2c13626 19918->19919 19920 2c135ef 19918->19920 19953 2c1de2a 19919->19953 19921 2c20a50 Mailbox 68 API calls 19920->19921 19922 2c13608 19921->19922 19935 2c129ee 19922->19935 19925 2c13659 19926 2c20a50 Mailbox 68 API calls 19925->19926 19926->19913 19928 2c20a50 Mailbox 68 API calls 19927->19928 19929 2c12f0a WSAGetLastError 19928->19929 19930 2c12f21 19929->19930 19931 2c12f41 19929->19931 19932 2c12f27 setsockopt 19930->19932 19933 2c12f3c 19930->19933 19931->19912 19931->19913 19932->19933 19934 2c20a50 Mailbox 68 API calls 19933->19934 19934->19931 19936 2c12a0c 19935->19936 19952 2c12aad 19935->19952 19937 2c12a39 WSASetLastError closesocket 19936->19937 19940 2c20a50 Mailbox 68 API calls 19936->19940 19939 2c1a440 69 API calls 19937->19939 19938 2c20a50 Mailbox 68 API calls 19942 2c12ab8 19938->19942 19941 2c12a51 19939->19941 19943 2c12a21 19940->19943 19945 2c20a50 Mailbox 68 API calls 19941->19945 19941->19952 19942->19913 19957 2c12f50 19943->19957 19947 2c12a5c 19945->19947 19948 2c12a7b ioctlsocket WSASetLastError closesocket 19947->19948 19949 2c20a50 Mailbox 68 API calls 19947->19949 19951 2c1a440 69 API calls 19948->19951 19950 2c12a6e 19949->19950 19950->19948 19950->19952 19951->19952 19952->19938 19952->19942 19954 2c1de34 __EH_prolog 19953->19954 19955 2c23a8f _Allocate 60 API calls 19954->19955 19956 2c1de48 19955->19956 19956->19925 19958 2c12f70 WSASetLastError setsockopt 19957->19958 19959 2c12f5b 19957->19959 19961 2c1a440 69 API calls 19958->19961 19960 2c20a50 Mailbox 68 API calls 19959->19960 19964 2c12a36 19960->19964 19962 2c12f9e 19961->19962 19963 2c20a50 Mailbox 68 API calls 19962->19963 19962->19964 19963->19964 19964->19937 19966 2c1303b 19965->19966 19967 2c1304d WSASetLastError select 19965->19967 19968 2c20a50 Mailbox 68 API calls 19966->19968 19969 2c1a440 69 API calls 19967->19969 19972 2c12b59 19968->19972 19970 2c13095 19969->19970 19971 2c20a50 Mailbox 68 API calls 19970->19971 19970->19972 19971->19972 19972->19900 19973 2c12fb4 19972->19973 19974 2c12fc0 19973->19974 19975 2c12fd5 WSASetLastError getsockopt 19973->19975 19976 2c20a50 Mailbox 68 API calls 19974->19976 19977 2c1a440 69 API calls 19975->19977 19979 2c12b7a 19976->19979 19978 2c1300f 19977->19978 19978->19979 19980 2c20a50 Mailbox 68 API calls 19978->19980 19979->19900 19979->19904 19980->19979 19988 2c35330 19981->19988 19983 2c132b5 RtlEnterCriticalSection 19984 2c20a50 Mailbox 68 API calls 19983->19984 19985 2c132d6 19984->19985 19989 2c13307 19985->19989 19988->19983 19991 2c13311 __EH_prolog 19989->19991 19992 2c13350 19991->19992 20001 2c17db9 19991->20001 20005 2c1239d 19992->20005 19995 2c20a50 Mailbox 68 API calls 19997 2c1337c 19995->19997 19999 2c12d39 71 API calls 19997->19999 20000 2c13390 19999->20000 20011 2c17d62 20000->20011 20003 2c17dc7 20001->20003 20002 2c17e3d 20002->19991 20003->20002 20015 2c1891e 20003->20015 20009 2c123ab 20005->20009 20006 2c12417 20006->19995 20006->20000 20007 2c123c1 PostQueuedCompletionStatus 20008 2c123da RtlEnterCriticalSection 20007->20008 20007->20009 20008->20009 20009->20006 20009->20007 20010 2c123f8 InterlockedExchange RtlLeaveCriticalSection 20009->20010 20010->20009 20012 2c17d67 20011->20012 20013 2c132ee RtlLeaveCriticalSection 20012->20013 20031 2c11e7f 20012->20031 20013->18263 20016 2c18948 20015->20016 20017 2c17d62 68 API calls 20016->20017 20018 2c1898e 20017->20018 20019 2c189b5 20018->20019 20021 2c1a1ab 20018->20021 20019->20002 20022 2c1a1b5 20021->20022 20023 2c1a1c5 20021->20023 20022->20023 20026 2c1fa69 20022->20026 20023->20019 20027 2c22413 std::exception::exception 59 API calls 20026->20027 20028 2c1fa81 20027->20028 20029 2c2449a __CxxThrowException@8 RaiseException 20028->20029 20030 2c1fa96 20029->20030 20032 2c20a50 Mailbox 68 API calls 20031->20032 20033 2c11e90 20032->20033 20033->20012 20063 2c235f0 20034->20063 20036 2c153c8 20036->18275 20037 2c23849 20036->20037 20038 2c23855 __fsopen 20037->20038 20039 2c23873 20038->20039 20040 2c2388b 20038->20040 20041 2c23883 __fsopen 20038->20041 20043 2c25d9b _vscan_fn 59 API calls 20039->20043 20205 2c29732 20040->20205 20041->18277 20045 2c23878 20043->20045 20046 2c24e35 _vscan_fn 9 API calls 20045->20046 20046->20041 20051 2c239d3 __fsopen 20050->20051 20052 2c239e7 20051->20052 20053 2c239ff 20051->20053 20054 2c25d9b _vscan_fn 59 API calls 20052->20054 20056 2c29732 __lock_file 60 API calls 20053->20056 20060 2c239f7 __fsopen 20053->20060 20055 2c239ec 20054->20055 20057 2c24e35 _vscan_fn 9 API calls 20055->20057 20058 2c23a11 20056->20058 20057->20060 20232 2c2395b 20058->20232 20060->18275 20065 2c235fc __fsopen 20063->20065 20064 2c2360e 20066 2c25d9b _vscan_fn 59 API calls 20064->20066 20065->20064 20067 2c2363b 20065->20067 20068 2c23613 20066->20068 20082 2c29808 20067->20082 20070 2c24e35 _vscan_fn 9 API calls 20068->20070 20074 2c2361e __fsopen @_EH4_CallFilterFunc@8 20070->20074 20071 2c23640 20072 2c23656 20071->20072 20073 2c23649 20071->20073 20076 2c2367f 20072->20076 20077 2c2365f 20072->20077 20075 2c25d9b _vscan_fn 59 API calls 20073->20075 20074->20036 20075->20074 20097 2c29927 20076->20097 20079 2c25d9b _vscan_fn 59 API calls 20077->20079 20079->20074 20083 2c29814 __fsopen 20082->20083 20084 2c2882d __lock 59 API calls 20083->20084 20090 2c29822 20084->20090 20085 2c2989d 20087 2c289f4 __malloc_crt 59 API calls 20085->20087 20089 2c298a4 20087->20089 20088 2c29913 __fsopen 20088->20071 20092 2c2914c ___lock_fhandle InitializeCriticalSectionAndSpinCount 20089->20092 20095 2c29896 20089->20095 20090->20085 20093 2c288b5 __mtinitlocknum 59 API calls 20090->20093 20090->20095 20117 2c29771 20090->20117 20122 2c297db 20090->20122 20094 2c298ca RtlEnterCriticalSection 20092->20094 20093->20090 20094->20095 20127 2c2991e 20095->20127 20106 2c29944 20097->20106 20098 2c29958 20099 2c25d9b _vscan_fn 59 API calls 20098->20099 20101 2c2995d 20099->20101 20100 2c29aff 20100->20098 20103 2c29b5b 20100->20103 20102 2c24e35 _vscan_fn 9 API calls 20101->20102 20104 2c2368a 20102->20104 20138 2c30770 20103->20138 20114 2c236ac 20104->20114 20106->20098 20106->20100 20132 2c3078e 20106->20132 20111 2c308bd __openfile 59 API calls 20112 2c29b17 20111->20112 20112->20100 20113 2c308bd __openfile 59 API calls 20112->20113 20113->20100 20198 2c297a1 20114->20198 20116 2c236b2 20116->20074 20118 2c29792 RtlEnterCriticalSection 20117->20118 20119 2c2977c 20117->20119 20118->20090 20120 2c2882d __lock 59 API calls 20119->20120 20121 2c29785 20120->20121 20121->20090 20123 2c297e9 20122->20123 20124 2c297fc RtlLeaveCriticalSection 20122->20124 20130 2c28997 RtlLeaveCriticalSection 20123->20130 20124->20090 20126 2c297f9 20126->20090 20131 2c28997 RtlLeaveCriticalSection 20127->20131 20129 2c29925 20129->20088 20130->20126 20131->20129 20141 2c307a6 20132->20141 20134 2c29ac5 20134->20098 20135 2c308bd 20134->20135 20149 2c308d5 20135->20149 20137 2c29af8 20137->20100 20137->20111 20156 2c30659 20138->20156 20140 2c30789 20140->20104 20142 2c307bb 20141->20142 20148 2c307b4 20141->20148 20143 2c221bb _LocaleUpdate::_LocaleUpdate 59 API calls 20142->20143 20144 2c307c8 20143->20144 20145 2c25d9b _vscan_fn 59 API calls 20144->20145 20144->20148 20146 2c307fb 20145->20146 20147 2c24e35 _vscan_fn 9 API calls 20146->20147 20147->20148 20148->20134 20150 2c221bb _LocaleUpdate::_LocaleUpdate 59 API calls 20149->20150 20152 2c308e8 20150->20152 20151 2c308fd 20151->20137 20152->20151 20153 2c25d9b _vscan_fn 59 API calls 20152->20153 20154 2c30929 20153->20154 20155 2c24e35 _vscan_fn 9 API calls 20154->20155 20155->20151 20159 2c30665 __fsopen 20156->20159 20157 2c3067b 20158 2c25d9b _vscan_fn 59 API calls 20157->20158 20161 2c30680 20158->20161 20159->20157 20160 2c306b1 20159->20160 20167 2c30722 20160->20167 20163 2c24e35 _vscan_fn 9 API calls 20161->20163 20166 2c3068a __fsopen 20163->20166 20166->20140 20176 2c28176 20167->20176 20169 2c306cd 20172 2c306f6 20169->20172 20170 2c30736 20170->20169 20171 2c22eb4 _free 59 API calls 20170->20171 20171->20169 20173 2c306fc 20172->20173 20175 2c30720 20172->20175 20197 2c30f6d RtlLeaveCriticalSection 20173->20197 20175->20166 20177 2c28183 20176->20177 20178 2c28199 20176->20178 20179 2c25d9b _vscan_fn 59 API calls 20177->20179 20178->20177 20180 2c281a0 ___crtIsPackagedApp 20178->20180 20181 2c28188 20179->20181 20183 2c281b6 MultiByteToWideChar 20180->20183 20184 2c281a9 AreFileApisANSI 20180->20184 20182 2c24e35 _vscan_fn 9 API calls 20181->20182 20190 2c28192 20182->20190 20186 2c281d0 GetLastError 20183->20186 20187 2c281e1 20183->20187 20184->20183 20185 2c281b3 20184->20185 20185->20183 20188 2c25d7a __dosmaperr 59 API calls 20186->20188 20189 2c289f4 __malloc_crt 59 API calls 20187->20189 20188->20190 20191 2c281e9 20189->20191 20190->20170 20191->20190 20192 2c281f0 MultiByteToWideChar 20191->20192 20192->20190 20193 2c28206 GetLastError 20192->20193 20194 2c25d7a __dosmaperr 59 API calls 20193->20194 20195 2c28212 20194->20195 20196 2c22eb4 _free 59 API calls 20195->20196 20196->20190 20197->20175 20199 2c297b0 20198->20199 20200 2c297cf RtlLeaveCriticalSection 20198->20200 20199->20200 20201 2c297b7 20199->20201 20200->20116 20204 2c28997 RtlLeaveCriticalSection 20201->20204 20203 2c297cc 20203->20116 20204->20203 20206 2c29742 20205->20206 20207 2c29764 RtlEnterCriticalSection 20205->20207 20206->20207 20208 2c2974a 20206->20208 20209 2c23891 20207->20209 20210 2c2882d __lock 59 API calls 20208->20210 20211 2c236f0 20209->20211 20210->20209 20214 2c236ff 20211->20214 20217 2c2371d 20211->20217 20212 2c2370d 20213 2c25d9b _vscan_fn 59 API calls 20212->20213 20215 2c23712 20213->20215 20214->20212 20214->20217 20218 2c23737 _memmove 20214->20218 20216 2c24e35 _vscan_fn 9 API calls 20215->20216 20216->20217 20223 2c238c3 20217->20223 20218->20217 20219 2c25e41 __flsbuf 79 API calls 20218->20219 20221 2c29d71 __flush 59 API calls 20218->20221 20222 2c29d95 __write 79 API calls 20218->20222 20226 2c2a72f 20218->20226 20219->20218 20221->20218 20222->20218 20224 2c297a1 __fsopen 2 API calls 20223->20224 20225 2c238c9 20224->20225 20225->20041 20227 2c2a742 20226->20227 20231 2c2a766 20226->20231 20228 2c29d71 __flush 59 API calls 20227->20228 20227->20231 20229 2c2a75f 20228->20229 20230 2c29d95 __write 79 API calls 20229->20230 20230->20231 20231->20218 20233 2c2396a 20232->20233 20234 2c2397e 20232->20234 20235 2c25d9b _vscan_fn 59 API calls 20233->20235 20236 2c2397a 20234->20236 20238 2c2a72f __flush 79 API calls 20234->20238 20237 2c2396f 20235->20237 20248 2c23a36 20236->20248 20239 2c24e35 _vscan_fn 9 API calls 20237->20239 20240 2c2398a 20238->20240 20239->20236 20251 2c2b1db 20240->20251 20243 2c29d71 __flush 59 API calls 20244 2c23998 20243->20244 20255 2c2b066 20244->20255 20246 2c2399e 20246->20236 20247 2c22eb4 _free 59 API calls 20246->20247 20247->20236 20249 2c297a1 __fsopen 2 API calls 20248->20249 20250 2c23a3c 20249->20250 20250->20060 20252 2c2b1e8 20251->20252 20254 2c23992 20251->20254 20253 2c22eb4 _free 59 API calls 20252->20253 20252->20254 20253->20254 20254->20243 20256 2c2b072 __fsopen 20255->20256 20257 2c2b096 20256->20257 20258 2c2b07f 20256->20258 20260 2c2b121 20257->20260 20262 2c2b0a6 20257->20262 20259 2c25d67 __read_nolock 59 API calls 20258->20259 20261 2c2b084 20259->20261 20263 2c25d67 __read_nolock 59 API calls 20260->20263 20264 2c25d9b _vscan_fn 59 API calls 20261->20264 20265 2c2b0c4 20262->20265 20266 2c2b0ce 20262->20266 20267 2c2b0c9 20263->20267 20268 2c2b08b __fsopen 20264->20268 20269 2c25d67 __read_nolock 59 API calls 20265->20269 20270 2c30bc7 ___lock_fhandle 60 API calls 20266->20270 20271 2c25d9b _vscan_fn 59 API calls 20267->20271 20268->20246 20269->20267 20272 2c2b0d4 20270->20272 20273 2c2b12d 20271->20273 20274 2c2b0f2 20272->20274 20275 2c2b0e7 20272->20275 20277 2c24e35 _vscan_fn 9 API calls 20273->20277 20276 2c25d9b _vscan_fn 59 API calls 20274->20276 20281 2c2b141 20275->20281 20279 2c2b0ed 20276->20279 20277->20268 20296 2c2b119 20279->20296 20282 2c30e84 __lseeki64_nolock 59 API calls 20281->20282 20285 2c2b14f 20282->20285 20283 2c2b1a5 20299 2c30dfe 20283->20299 20285->20283 20287 2c30e84 __lseeki64_nolock 59 API calls 20285->20287 20295 2c2b183 20285->20295 20286 2c30e84 __lseeki64_nolock 59 API calls 20291 2c2b17a 20287->20291 20292 2c30e84 __lseeki64_nolock 59 API calls 20291->20292 20292->20295 20295->20283 20295->20286 20308 2c30f6d RtlLeaveCriticalSection 20296->20308 20298 2c2b11f 20298->20268 20300 2c30e6a 20299->20300 20301 2c30e0a 20299->20301 20301->20300 20308->20298 20310 2c227cb 20309->20310 20311 2c227db _strlen 20310->20311 20312 2c25d9b _vscan_fn 59 API calls 20310->20312 20311->18281 20313 2c227d0 20312->20313 20314 2c24e35 _vscan_fn 9 API calls 20313->20314 20314->20311 20316 2c1a649 GetProcessHeap HeapFree 20315->20316 20316->18295 20318 2c13770 20317->20318 20319 2c13755 InterlockedCompareExchange 20317->20319 20321 2c20a50 Mailbox 68 API calls 20318->20321 20319->20318 20320 2c13765 20319->20320 20323 2c132ab 78 API calls 20320->20323 20322 2c13779 20321->20322 20324 2c129ee 76 API calls 20322->20324 20323->20318 20325 2c1378e 20324->20325 20325->18300 20326 4025c7 20327 40b106 CreateDirectoryA 20326->20327 20328 402568 20326->20328 20328->20327 21177 4021a8 RegCloseKey 21178 4021ae SetEvent 21177->21178 20329 2c1648b RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 20330 2c164f3 GetTickCount 20329->20330 20407 2c142c7 20329->20407 20408 2c1605a 20330->20408 20409 2c22eec _malloc 59 API calls 20408->20409 20410 2c1606d 20409->20410 20411 2cb0d80 20412 2cb11a8 20411->20412 20416 2c1f7da CreateFileA 20412->20416 20413 2cb11ad 20415 2c1f7da 64 API calls 20413->20415 20415->20413 20417 2c1f8d6 20416->20417 20418 2c1f80b 20416->20418 20417->20413 20419 2c1f823 DeviceIoControl 20418->20419 20420 2c1f8cc CloseHandle 20418->20420 20421 2c1f898 GetLastError 20418->20421 20422 2c23a8f _Allocate 60 API calls 20418->20422 20419->20418 20420->20417 20421->20418 20421->20420 20422->20418 20423 40228b 20424 40b305 GetModuleFileNameA 20423->20424 20431 402c70 20424->20431 20427 40b655 CommandLineToArgvW 20428 40b878 GetLocalTime 20427->20428 20433 401f27 20428->20433 20432 402ce1 GetCommandLineW 20431->20432 20432->20427 20434 401f3c 20433->20434 20437 401a1d 20434->20437 20436 401f45 20438 401a2c 20437->20438 20443 401a4f CreateFileA 20438->20443 20442 401a3e 20442->20436 20444 401a35 20443->20444 20446 401a7d 20443->20446 20451 401b4b LoadLibraryA 20444->20451 20445 401a98 DeviceIoControl 20445->20446 20446->20445 20448 401b3a CloseHandle 20446->20448 20449 401b0e GetLastError 20446->20449 20460 402ba6 20446->20460 20463 402b98 20446->20463 20448->20444 20449->20446 20449->20448 20452 401c21 20451->20452 20453 401b6e GetProcAddress 20451->20453 20452->20442 20454 401c18 FreeLibrary 20453->20454 20459 401b85 20453->20459 20454->20452 20455 401b95 GetAdaptersInfo 20455->20459 20456 401c15 20456->20454 20457 402ba6 7 API calls 20457->20459 20458 402b98 12 API calls 20458->20459 20459->20455 20459->20456 20459->20457 20459->20458 20466 402f51 20460->20466 20496 402eb1 20463->20496 20467 402f5d 20466->20467 20475 402baf 20466->20475 20470 402f67 20467->20470 20471 402f7d 20467->20471 20468 402fa8 20469 402fa9 HeapFree 20468->20469 20469->20475 20470->20469 20472 402f73 20470->20472 20471->20468 20474 402f97 20471->20474 20477 403e3a 20472->20477 20483 4048cb 20474->20483 20475->20446 20478 403e78 20477->20478 20482 40412e 20477->20482 20479 404074 VirtualFree 20478->20479 20478->20482 20480 4040d8 20479->20480 20481 4040e7 VirtualFree HeapFree 20480->20481 20480->20482 20481->20482 20482->20475 20484 4048f8 20483->20484 20485 40490e 20483->20485 20484->20485 20487 4047b2 20484->20487 20485->20475 20491 4047bf 20487->20491 20488 40486f 20488->20485 20489 4047e0 VirtualFree 20489->20491 20491->20488 20491->20489 20492 40475c VirtualFree 20491->20492 20493 404779 20492->20493 20494 4047a9 20493->20494 20495 404789 HeapFree 20493->20495 20494->20491 20495->20491 20497 402ba3 20496->20497 20499 402eb8 20496->20499 20497->20446 20499->20497 20500 402edd 20499->20500 20502 402eec 20500->20502 20507 402f01 20500->20507 20501 402efa 20504 402f40 HeapAlloc 20501->20504 20505 402f4f 20501->20505 20506 402eff 20501->20506 20502->20501 20509 404163 20502->20509 20504->20505 20505->20499 20506->20499 20507->20501 20507->20504 20515 404910 20507->20515 20510 404195 20509->20510 20511 404234 20510->20511 20513 404243 20510->20513 20522 40446c 20510->20522 20511->20513 20529 40451d 20511->20529 20513->20501 20518 40491e 20515->20518 20516 404a0a VirtualAlloc 20521 4049db 20516->20521 20517 404adf 20533 404618 20517->20533 20518->20516 20518->20517 20518->20521 20521->20501 20523 4044af HeapAlloc 20522->20523 20524 40447f HeapReAlloc 20522->20524 20526 4044ff 20523->20526 20527 4044d5 VirtualAlloc 20523->20527 20525 40449e 20524->20525 20524->20526 20525->20523 20526->20511 20527->20526 20528 4044ef HeapFree 20527->20528 20528->20526 20530 40452f VirtualAlloc 20529->20530 20532 404578 20530->20532 20532->20513 20534 404625 20533->20534 20535 40462c HeapAlloc 20533->20535 20536 404649 VirtualAlloc 20534->20536 20535->20536 20541 404681 20535->20541 20537 404669 VirtualAlloc 20536->20537 20538 40473e 20536->20538 20539 404730 VirtualFree 20537->20539 20537->20541 20540 404746 HeapFree 20538->20540 20538->20541 20539->20538 20540->20541 20541->20521 21180 40b4ab 21181 40b4ae 21180->21181 21182 402621 21181->21182 21183 40b4df RegOpenKeyExA 21181->21183 21183->21181 20542 2c1104d 20543 2c232e7 __cinit 68 API calls 20542->20543 20544 2c11057 20543->20544 20547 2c11aa9 InterlockedIncrement 20544->20547 20548 2c11ac5 WSAStartup InterlockedExchange 20547->20548 20549 2c1105c 20547->20549 20548->20549 21184 40b7ae 21185 40b7cd 21184->21185 21186 40b801 Sleep 21185->21186 21187 40b809 21186->21187 21187->21187 20550 2c7c1c8 20551 2ca58b1 20550->20551 20553 2c22eec 59 API calls 20551->20553 20552 2ca58b6 20554 2c22eec 59 API calls 20552->20554 20553->20552 20554->20552 20555 40218f Sleep 20556 40b766 20555->20556 20557 2c4fe14 20558 2c4fdaa 20557->20558 20559 2c4fe1f 20557->20559 20563 2c50dfa 20558->20563 20564 2c50e22 WriteFile 20563->20564 20565 2c607e6 CloseHandle 20564->20565 20567 2c770de 20565->20567 21188 402332 21191 40257b CopyFileA 21188->21191 21190 40261f 21191->21190 20568 4026d6 OpenSCManagerA 20569 40261f 20568->20569 20570 40b0d7 20571 40b0d9 20570->20571 20574 2c23c52 20571->20574 20575 2c23c60 20574->20575 20576 2c23c5b 20574->20576 20580 2c23c75 20575->20580 20588 2c2b821 20576->20588 20579 40b0f0 20581 2c23c81 __fsopen 20580->20581 20585 2c23ccf ___DllMainCRTStartup 20581->20585 20587 2c23d2c __fsopen 20581->20587 20592 2c23ae0 20581->20592 20583 2c23d09 20584 2c23ae0 __CRT_INIT@12 138 API calls 20583->20584 20583->20587 20584->20587 20585->20583 20586 2c23ae0 __CRT_INIT@12 138 API calls 20585->20586 20585->20587 20586->20583 20587->20579 20589 2c2b851 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 20588->20589 20590 2c2b844 20588->20590 20591 2c2b848 20589->20591 20590->20589 20590->20591 20591->20575 20593 2c23aec __fsopen 20592->20593 20594 2c23af4 20593->20594 20595 2c23b6e 20593->20595 20640 2c28126 GetProcessHeap 20594->20640 20596 2c23b72 20595->20596 20597 2c23bd7 20595->20597 20602 2c23b93 20596->20602 20633 2c23afd __fsopen __CRT_INIT@12 20596->20633 20741 2c2839b 20596->20741 20600 2c23c3a 20597->20600 20601 2c23bdc 20597->20601 20599 2c23af9 20599->20633 20641 2c25cd4 20599->20641 20604 2c25b64 __freeptd 59 API calls 20600->20604 20600->20633 20603 2c2910b __CRT_INIT@12 TlsGetValue 20601->20603 20744 2c28272 RtlDecodePointer 20602->20744 20607 2c23be7 20603->20607 20604->20633 20611 2c289ac __calloc_crt 59 API calls 20607->20611 20607->20633 20609 2c23b09 __RTC_Initialize 20617 2c23b19 GetCommandLineA 20609->20617 20609->20633 20613 2c23bf8 20611->20613 20612 2c23ba9 __CRT_INIT@12 20768 2c23bc2 20612->20768 20618 2c2912a __CRT_INIT@12 TlsSetValue 20613->20618 20613->20633 20614 2c2b4bf __ioterm 60 API calls 20616 2c23ba4 20614->20616 20619 2c25d4a __mtterm 62 API calls 20616->20619 20662 2c2b8bd GetEnvironmentStringsW 20617->20662 20621 2c23c10 20618->20621 20619->20612 20623 2c23c16 20621->20623 20624 2c23c2e 20621->20624 20626 2c25c21 __initptd 59 API calls 20623->20626 20627 2c22eb4 _free 59 API calls 20624->20627 20629 2c23c1e GetCurrentThreadId 20626->20629 20627->20633 20628 2c23b33 20630 2c23b37 20628->20630 20694 2c2b511 20628->20694 20629->20633 20727 2c25d4a 20630->20727 20633->20585 20635 2c23b57 20635->20633 20640->20599 20772 2c28442 RtlEncodePointer 20641->20772 20643 2c25cd9 20777 2c2895e 20643->20777 20646 2c25ce2 20647 2c25d4a __mtterm 62 API calls 20646->20647 20649 2c25ce7 20647->20649 20649->20609 20651 2c25cff 20652 2c289ac __calloc_crt 59 API calls 20651->20652 20653 2c25d0c 20652->20653 20654 2c25d41 20653->20654 20655 2c2912a __CRT_INIT@12 TlsSetValue 20653->20655 20656 2c25d4a __mtterm 62 API calls 20654->20656 20657 2c25d20 20655->20657 20658 2c25d46 20656->20658 20657->20654 20659 2c25d26 20657->20659 20658->20609 20660 2c25c21 __initptd 59 API calls 20659->20660 20661 2c25d2e GetCurrentThreadId 20660->20661 20661->20609 20663 2c2b8d0 WideCharToMultiByte 20662->20663 20668 2c23b29 20662->20668 20665 2c2b903 20663->20665 20666 2c2b93a FreeEnvironmentStringsW 20663->20666 20667 2c289f4 __malloc_crt 59 API calls 20665->20667 20666->20668 20669 2c2b909 20667->20669 20675 2c2b20b 20668->20675 20669->20666 20670 2c2b910 WideCharToMultiByte 20669->20670 20671 2c2b926 20670->20671 20672 2c2b92f FreeEnvironmentStringsW 20670->20672 20673 2c22eb4 _free 59 API calls 20671->20673 20672->20668 20674 2c2b92c 20673->20674 20674->20672 20676 2c2b217 __fsopen 20675->20676 20677 2c2882d __lock 59 API calls 20676->20677 20678 2c2b21e 20677->20678 20679 2c289ac __calloc_crt 59 API calls 20678->20679 20681 2c2b22f 20679->20681 20680 2c2b29a GetStartupInfoW 20688 2c2b2af 20680->20688 20691 2c2b3de 20680->20691 20681->20680 20682 2c2b23a __fsopen @_EH4_CallFilterFunc@8 20681->20682 20682->20628 20683 2c2b4a6 20785 2c2b4b6 20683->20785 20685 2c289ac __calloc_crt 59 API calls 20685->20688 20686 2c2b42b GetStdHandle 20686->20691 20687 2c2b43e GetFileType 20687->20691 20688->20685 20690 2c2b2fd 20688->20690 20688->20691 20689 2c2b331 GetFileType 20689->20690 20690->20689 20690->20691 20692 2c2914c ___lock_fhandle InitializeCriticalSectionAndSpinCount 20690->20692 20691->20683 20691->20686 20691->20687 20693 2c2914c ___lock_fhandle InitializeCriticalSectionAndSpinCount 20691->20693 20692->20690 20693->20691 20695 2c2b524 GetModuleFileNameA 20694->20695 20696 2c2b51f 20694->20696 20697 2c2b551 20695->20697 20795 2c251ca 20696->20795 20789 2c2b5c4 20697->20789 20700 2c23b43 20700->20635 20705 2c2b740 20700->20705 20702 2c289f4 __malloc_crt 59 API calls 20703 2c2b58a 20702->20703 20703->20700 20728 2c25d5a 20727->20728 20729 2c25d54 20727->20729 20731 2c28877 RtlDeleteCriticalSection 20728->20731 20733 2c28893 20728->20733 20921 2c290ec 20729->20921 20732 2c22eb4 _free 59 API calls 20731->20732 20732->20728 20734 2c288b2 20733->20734 20735 2c2889f RtlDeleteCriticalSection 20733->20735 20734->20633 20735->20733 20742 2c284e4 _doexit 59 API calls 20741->20742 20743 2c283a6 20742->20743 20743->20602 20745 2c2829e 20744->20745 20746 2c2828c 20744->20746 20747 2c22eb4 _free 59 API calls 20745->20747 20746->20745 20748 2c22eb4 _free 59 API calls 20746->20748 20749 2c282ab 20747->20749 20748->20746 20750 2c282cf 20749->20750 20752 2c22eb4 _free 59 API calls 20749->20752 20751 2c22eb4 _free 59 API calls 20750->20751 20753 2c282db 20751->20753 20752->20749 20754 2c22eb4 _free 59 API calls 20753->20754 20755 2c282ec 20754->20755 20756 2c22eb4 _free 59 API calls 20755->20756 20757 2c282f7 20756->20757 20758 2c2831c RtlEncodePointer 20757->20758 20763 2c22eb4 _free 59 API calls 20757->20763 20759 2c28331 20758->20759 20761 2c28337 20758->20761 20760 2c22eb4 _free 59 API calls 20759->20760 20760->20761 20762 2c2834d 20761->20762 20764 2c22eb4 _free 59 API calls 20761->20764 20765 2c23b98 20762->20765 20767 2c22eb4 _free 59 API calls 20762->20767 20766 2c2831b 20763->20766 20764->20762 20765->20612 20765->20614 20766->20758 20767->20765 20769 2c23bc6 20768->20769 20770 2c23bd4 20768->20770 20769->20770 20771 2c25d4a __mtterm 62 API calls 20769->20771 20770->20633 20771->20770 20773 2c28453 __init_pointers __initp_misc_winsig 20772->20773 20784 2c2394a RtlEncodePointer 20773->20784 20775 2c2846b __init_pointers 20776 2c291ba 34 API calls 20775->20776 20776->20643 20780 2c2896a 20777->20780 20778 2c25cde 20778->20646 20781 2c290ce 20778->20781 20779 2c2914c ___lock_fhandle InitializeCriticalSectionAndSpinCount 20779->20780 20780->20778 20780->20779 20782 2c290e5 TlsAlloc 20781->20782 20783 2c25cf4 20781->20783 20783->20646 20783->20651 20784->20775 20788 2c28997 RtlLeaveCriticalSection 20785->20788 20787 2c2b4bd 20787->20682 20788->20787 20791 2c2b5e6 20789->20791 20794 2c2b64a 20791->20794 20799 2c31516 20791->20799 20792 2c2b567 20792->20700 20792->20702 20793 2c31516 _parse_cmdline 59 API calls 20793->20794 20794->20792 20794->20793 20796 2c251d3 20795->20796 20797 2c251da 20795->20797 20805 2c25527 20796->20805 20797->20695 20802 2c314bc 20799->20802 20803 2c221bb _LocaleUpdate::_LocaleUpdate 59 API calls 20802->20803 20804 2c314ce 20803->20804 20804->20791 20806 2c25533 __fsopen 20805->20806 20807 2c25b9a _LocaleUpdate::_LocaleUpdate 59 API calls 20806->20807 20808 2c2553b 20807->20808 20809 2c25481 _LocaleUpdate::_LocaleUpdate 59 API calls 20808->20809 20922 2c29103 TlsFree 20921->20922 20923 2c290ff 20921->20923 20922->20728 20923->20728 21192 402277 lstrcmpiW 21193 402600 21192->21193 21194 40b083 lstrcmpiW 21193->21194 21195 4021ae 21193->21195 21194->21195 21196 40b336 SetEvent 21195->21196 21197 40b8c7 21195->21197 20924 402159 20925 40b01f VirtualAlloc 20924->20925 20926 40b7d8 20925->20926 21198 2caa471 21199 2cab2e4 CreateFileA 21198->21199 21200 2cb1310 21199->21200 20927 40b8dc LoadLibraryExA 21201 40b4bc 21206 401f64 FindResourceA 21201->21206 21203 40b4c6 Sleep 21205 40b809 21203->21205 21205->21205 21207 401f86 GetLastError SizeofResource 21206->21207 21212 401f9f 21206->21212 21208 401fa6 LoadResource LockResource GlobalAlloc 21207->21208 21207->21212 21209 401fd2 21208->21209 21210 401ffb GetTickCount 21209->21210 21213 402005 GlobalAlloc 21210->21213 21212->21203 21213->21212 21214 40b1fe RegCloseKey 20928 2c1f8de LoadLibraryA 20929 2c1f9c1 20928->20929 20930 2c1f907 GetProcAddress 20928->20930 20931 2c1f9ba FreeLibrary 20930->20931 20933 2c1f91b 20930->20933 20931->20929 20932 2c1f92d GetAdaptersInfo 20932->20933 20933->20932 20934 2c1f9b5 20933->20934 20935 2c23a8f _Allocate 60 API calls 20933->20935 20934->20931 20935->20933

                                                                                                              Executed Functions

                                                                                                              Function 02C172AB Relevance: 74.2, APIs: 29, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 2c172ab-2c172c3 InternetOpenA 1 2c17389-2c1738f 0->1 2 2c172c9-2c17340 InternetSetOptionA * 3 call 2c24a30 InternetOpenUrlA 0->2 4 2c17391-2c17397 1->4 5 2c173ab-2c173b9 1->5 14 2c17382-2c17383 InternetCloseHandle 2->14 15 2c17342 2->15 9 2c17399-2c1739b 4->9 10 2c1739d-2c173aa call 2c153ec 4->10 6 2c166f4-2c166f6 5->6 7 2c173bf-2c173e3 call 2c24a30 call 2c1439c 5->7 12 2c166f8-2c166fd 6->12 13 2c166ff-2c16701 6->13 7->6 31 2c173e9-2c17417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2c2227c 7->31 9->5 10->5 19 2c16708 Sleep 12->19 21 2c16703 13->21 22 2c1670e-2c16742 RtlEnterCriticalSection RtlLeaveCriticalSection 13->22 14->1 20 2c17346-2c1736c InternetReadFile 15->20 19->22 24 2c17377-2c1737e InternetCloseHandle 20->24 25 2c1736e-2c17375 20->25 21->19 26 2c16792 22->26 27 2c16744-2c16750 22->27 24->14 25->20 28 2c16796 26->28 27->26 30 2c16752-2c1675f 27->30 28->0 32 2c16761-2c16765 30->32 33 2c16767-2c16768 30->33 38 2c17419-2c1742b call 2c2227c 31->38 39 2c1746d-2c17488 call 2c2227c 31->39 35 2c1676c-2c16790 call 2c24a30 * 2 32->35 33->35 35->28 38->39 49 2c1742d-2c1743f call 2c2227c 38->49 47 2c17742-2c17754 call 2c2227c 39->47 48 2c1748e-2c17490 39->48 57 2c17756-2c17758 47->57 58 2c1779d-2c177af call 2c2227c 47->58 48->47 51 2c17496-2c17548 call 2c22eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2c24a30 * 5 call 2c1439c * 2 48->51 49->39 56 2c17441-2c17453 call 2c2227c 49->56 115 2c17585 51->115 116 2c1754a-2c1754c 51->116 56->39 68 2c17455-2c17467 call 2c2227c 56->68 57->58 62 2c1775a-2c17798 call 2c24a30 RtlEnterCriticalSection RtlLeaveCriticalSection 57->62 69 2c177b1-2c177cb call 2c161f5 call 2c16303 call 2c1640e 58->69 70 2c177d0-2c177e2 call 2c2227c 58->70 62->6 68->6 68->39 69->6 83 2c17b00-2c17b12 call 2c2227c 70->83 84 2c177e8-2c177ea 70->84 83->6 96 2c17b18-2c17b46 call 2c22eec call 2c24a30 call 2c1439c 83->96 84->83 88 2c177f0-2c17807 call 2c1439c 84->88 88->6 97 2c1780d-2c178db call 2c22358 call 2c11ba7 88->97 117 2c17b48-2c17b4a call 2c1534d 96->117 118 2c17b4f-2c17b56 call 2c22eb4 96->118 113 2c178e2-2c17903 RtlEnterCriticalSection 97->113 114 2c178dd call 2c1143f 97->114 121 2c17905-2c1790c 113->121 122 2c1790f-2c17973 RtlLeaveCriticalSection call 2c13c67 call 2c13d7e call 2c18272 113->122 114->113 119 2c17589-2c175b7 call 2c22eec call 2c24a30 call 2c1439c 115->119 116->115 123 2c1754e-2c17560 call 2c2227c 116->123 117->118 118->6 146 2c175b9-2c175c8 call 2c23529 119->146 147 2c175f8-2c17601 call 2c22eb4 119->147 121->122 144 2c17ae7-2c17afb call 2c18f3a 122->144 145 2c17979-2c179c1 call 2c1a65c 122->145 123->115 135 2c17562-2c17583 call 2c1439c 123->135 135->119 144->6 156 2c17ab1-2c17ae2 call 2c18321 call 2c133b2 145->156 157 2c179c7-2c179ce 145->157 146->147 160 2c175ca 146->160 158 2c17607-2c1761f call 2c23a8f 147->158 159 2c17738-2c1773b 147->159 156->144 162 2c179d1-2c179d6 157->162 172 2c17621-2c17629 call 2c1966e 158->172 173 2c1762b 158->173 159->47 164 2c175cf-2c175e1 call 2c22790 160->164 162->162 166 2c179d8-2c17a23 call 2c1a65c 162->166 174 2c175e3 164->174 175 2c175e6-2c175f6 call 2c23529 164->175 166->156 181 2c17a29-2c17a2f 166->181 178 2c1762d-2c176e5 call 2c1a786 call 2c13863 call 2c15119 call 2c13863 call 2c1aa2c call 2c1ab46 172->178 173->178 174->175 175->147 175->164 202 2c176e7 call 2c1380b 178->202 203 2c176ec-2c17717 Sleep call 2c21830 178->203 185 2c17a32-2c17a37 181->185 185->185 187 2c17a39-2c17a74 call 2c1a65c 185->187 187->156 193 2c17a76-2c17ab0 call 2c1d04e 187->193 193->156 202->203 207 2c17723-2c17731 203->207 208 2c17719-2c17722 call 2c14100 203->208 207->159 210 2c17733 call 2c1380b 207->210 208->207 210->159
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(0000EA60), ref: 02C16708
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C16713
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C16724
                                                                                                              • InternetOpenA.WININET(?), ref: 02C172B5
                                                                                                              • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02C172DD
                                                                                                              • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02C172F5
                                                                                                              • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02C1730D
                                                                                                              • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02C17336
                                                                                                              • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02C17358
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 02C17378
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 02C17383
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C173EE
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C173FF
                                                                                                              • _malloc.LIBCMT ref: 02C17498
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C174AA
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C174B6
                                                                                                              • _malloc.LIBCMT ref: 02C1758E
                                                                                                              • _strtok.LIBCMT ref: 02C175BF
                                                                                                              • _swscanf.LIBCMT ref: 02C175D6
                                                                                                              • _strtok.LIBCMT ref: 02C175ED
                                                                                                              • _free.LIBCMT ref: 02C175F9
                                                                                                              • Sleep.KERNEL32(000007D0), ref: 02C176F1
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C17772
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C17784
                                                                                                              • _sprintf.LIBCMT ref: 02C17822
                                                                                                              • RtlEnterCriticalSection.NTDLL(00000020), ref: 02C178E6
                                                                                                              • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C1791A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                                                              • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                                                              • API String ID: 1657546717-1839899575
                                                                                                              • Opcode ID: de8325c18193bb6d790106e39ca1a3413ba4fc4ddc2a1b5f0f1261508b53c12a
                                                                                                              • Instruction ID: 42d5d10994caf431b6db38c658ec4a51bd37a70bdddf291d0b64a676b9397ab9
                                                                                                              • Opcode Fuzzy Hash: de8325c18193bb6d790106e39ca1a3413ba4fc4ddc2a1b5f0f1261508b53c12a
                                                                                                              • Instruction Fuzzy Hash: 9D32F5715483819FE735AB24DC06BAFBBE6AFC6310F10091DF58A97290DB719508EF92
                                                                                                              Function 02C1648B Relevance: 68.5, APIs: 34, Strings: 5, Instructions: 228memorysleeplibraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 477 2c1648b-2c164ec RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 478 2c164f3-2c166f1 GetTickCount call 2c1605a GetVersionExA call 2c24a30 call 2c22eec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2c24a30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2c22eec * 4 QueryPerformanceCounter Sleep call 2c22eec * 2 call 2c24a30 * 2 477->478 479 2c164ee call 2c142c7 477->479 522 2c166f4-2c166f6 478->522 479->478 523 2c166f8-2c166fd 522->523 524 2c166ff-2c16701 522->524 525 2c16708 Sleep 523->525 526 2c16703 524->526 527 2c1670e-2c16742 RtlEnterCriticalSection RtlLeaveCriticalSection 524->527 525->527 526->525 528 2c16792 527->528 529 2c16744-2c16750 527->529 530 2c16796-2c172c3 InternetOpenA 528->530 529->528 531 2c16752-2c1675f 529->531 535 2c17389-2c1738f 530->535 536 2c172c9-2c17340 InternetSetOptionA * 3 call 2c24a30 InternetOpenUrlA 530->536 533 2c16761-2c16765 531->533 534 2c16767-2c16768 531->534 537 2c1676c-2c16790 call 2c24a30 * 2 533->537 534->537 539 2c17391-2c17397 535->539 540 2c173ab-2c173b9 535->540 548 2c17382-2c17383 InternetCloseHandle 536->548 549 2c17342 536->549 537->530 544 2c17399-2c1739b 539->544 545 2c1739d-2c173aa call 2c153ec 539->545 540->522 542 2c173bf-2c173e3 call 2c24a30 call 2c1439c 540->542 542->522 560 2c173e9-2c17417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2c2227c 542->560 544->540 545->540 548->535 555 2c17346-2c1736c InternetReadFile 549->555 557 2c17377-2c1737e InternetCloseHandle 555->557 558 2c1736e-2c17375 555->558 557->548 558->555 563 2c17419-2c1742b call 2c2227c 560->563 564 2c1746d-2c17488 call 2c2227c 560->564 563->564 571 2c1742d-2c1743f call 2c2227c 563->571 569 2c17742-2c17754 call 2c2227c 564->569 570 2c1748e-2c17490 564->570 579 2c17756-2c17758 569->579 580 2c1779d-2c177af call 2c2227c 569->580 570->569 573 2c17496-2c17548 call 2c22eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2c24a30 * 5 call 2c1439c * 2 570->573 571->564 578 2c17441-2c17453 call 2c2227c 571->578 637 2c17585 573->637 638 2c1754a-2c1754c 573->638 578->564 590 2c17455-2c17467 call 2c2227c 578->590 579->580 584 2c1775a-2c17798 call 2c24a30 RtlEnterCriticalSection RtlLeaveCriticalSection 579->584 591 2c177b1-2c177bf call 2c161f5 call 2c16303 580->591 592 2c177d0-2c177e2 call 2c2227c 580->592 584->522 590->522 590->564 608 2c177c4-2c177cb call 2c1640e 591->608 605 2c17b00-2c17b12 call 2c2227c 592->605 606 2c177e8-2c177ea 592->606 605->522 618 2c17b18-2c17b46 call 2c22eec call 2c24a30 call 2c1439c 605->618 606->605 610 2c177f0-2c17807 call 2c1439c 606->610 608->522 610->522 619 2c1780d-2c178db call 2c22358 call 2c11ba7 610->619 639 2c17b48-2c17b4a call 2c1534d 618->639 640 2c17b4f-2c17b56 call 2c22eb4 618->640 635 2c178e2-2c17903 RtlEnterCriticalSection 619->635 636 2c178dd call 2c1143f 619->636 643 2c17905-2c1790c 635->643 644 2c1790f-2c17973 RtlLeaveCriticalSection call 2c13c67 call 2c13d7e call 2c18272 635->644 636->635 641 2c17589-2c175b7 call 2c22eec call 2c24a30 call 2c1439c 637->641 638->637 645 2c1754e-2c17560 call 2c2227c 638->645 639->640 640->522 668 2c175b9-2c175c8 call 2c23529 641->668 669 2c175f8-2c17601 call 2c22eb4 641->669 643->644 666 2c17ae7-2c17afb call 2c18f3a 644->666 667 2c17979-2c179c1 call 2c1a65c 644->667 645->637 657 2c17562-2c17583 call 2c1439c 645->657 657->641 666->522 678 2c17ab1-2c17ae2 call 2c18321 call 2c133b2 667->678 679 2c179c7-2c179ce 667->679 668->669 682 2c175ca 668->682 680 2c17607-2c1761f call 2c23a8f 669->680 681 2c17738-2c1773b 669->681 678->666 684 2c179d1-2c179d6 679->684 694 2c17621-2c17629 call 2c1966e 680->694 695 2c1762b 680->695 681->569 686 2c175cf-2c175e1 call 2c22790 682->686 684->684 688 2c179d8-2c17a23 call 2c1a65c 684->688 696 2c175e3 686->696 697 2c175e6-2c175f6 call 2c23529 686->697 688->678 703 2c17a29-2c17a2f 688->703 700 2c1762d-2c176cf call 2c1a786 call 2c13863 call 2c15119 call 2c13863 call 2c1aa2c call 2c1ab46 694->700 695->700 696->697 697->669 697->686 723 2c176d4-2c176e5 700->723 707 2c17a32-2c17a37 703->707 707->707 709 2c17a39-2c17a74 call 2c1a65c 707->709 709->678 715 2c17a76-2c17aaa call 2c1d04e 709->715 718 2c17aaf-2c17ab0 715->718 718->678 724 2c176e7 call 2c1380b 723->724 725 2c176ec-2c17717 Sleep call 2c21830 723->725 724->725 729 2c17723-2c17731 725->729 730 2c17719-2c17722 call 2c14100 725->730 729->681 732 2c17733 call 2c1380b 729->732 730->729 732->681
                                                                                                              APIs
                                                                                                              • RtlInitializeCriticalSection.NTDLL(02C471B8), ref: 02C164BA
                                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02C164D1
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02C164DA
                                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02C164E9
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02C164EC
                                                                                                              • GetTickCount.KERNEL32 ref: 02C164F8
                                                                                                                • Part of subcall function 02C1605A: _malloc.LIBCMT ref: 02C16068
                                                                                                              • GetVersionExA.KERNEL32(02C47010), ref: 02C16525
                                                                                                              • _malloc.LIBCMT ref: 02C16551
                                                                                                                • Part of subcall function 02C22EEC: __FF_MSGBANNER.LIBCMT ref: 02C22F03
                                                                                                                • Part of subcall function 02C22EEC: __NMSG_WRITE.LIBCMT ref: 02C22F0A
                                                                                                                • Part of subcall function 02C22EEC: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001), ref: 02C22F2F
                                                                                                              • _malloc.LIBCMT ref: 02C16561
                                                                                                              • _malloc.LIBCMT ref: 02C1656C
                                                                                                              • _malloc.LIBCMT ref: 02C16577
                                                                                                              • _malloc.LIBCMT ref: 02C16582
                                                                                                              • _malloc.LIBCMT ref: 02C1658D
                                                                                                              • _malloc.LIBCMT ref: 02C16598
                                                                                                              • _malloc.LIBCMT ref: 02C165A7
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02C165BE
                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02C165C7
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C165D6
                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02C165D9
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C165E4
                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02C165E7
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C16621
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C1662E
                                                                                                              • _malloc.LIBCMT ref: 02C16652
                                                                                                              • _malloc.LIBCMT ref: 02C16660
                                                                                                              • _malloc.LIBCMT ref: 02C16667
                                                                                                              • _malloc.LIBCMT ref: 02C1668D
                                                                                                              • QueryPerformanceCounter.KERNEL32(00000200), ref: 02C166A0
                                                                                                              • Sleep.KERNEL32 ref: 02C166AE
                                                                                                              • _malloc.LIBCMT ref: 02C166BA
                                                                                                              • _malloc.LIBCMT ref: 02C166C7
                                                                                                              • Sleep.KERNEL32(0000EA60), ref: 02C16708
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C16713
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C16724
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _malloc$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                                              • API String ID: 4273019447-2678694477
                                                                                                              • Opcode ID: 4ae43dd90b0df9ba0abe74138b66ae3d526c18fe4c96ab9c6505376528e2a041
                                                                                                              • Instruction ID: 9894094abf23534424cf6b9dbecd920b9ccf3a500d48a8369857e449006401e5
                                                                                                              • Opcode Fuzzy Hash: 4ae43dd90b0df9ba0abe74138b66ae3d526c18fe4c96ab9c6505376528e2a041
                                                                                                              • Instruction Fuzzy Hash: A97194B1D443509FE311AF749C45B5BBBE9EF86720F100D29F98597280DBB45808EF96
                                                                                                              Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 836 401b4b-401b68 LoadLibraryA 837 401c21-401c25 836->837 838 401b6e-401b7f GetProcAddress 836->838 839 401b85-401b8e 838->839 840 401c18-401c1b FreeLibrary 838->840 841 401b95-401ba5 GetAdaptersInfo 839->841 840->837 842 401ba7-401bb0 841->842 843 401bdb-401be3 841->843 844 401bc1-401bd7 call 402bc0 call 4018cc 842->844 845 401bb2-401bb6 842->845 846 401be5-401beb call 402ba6 843->846 847 401bec-401bf0 843->847 844->843 845->843 850 401bb8-401bbf 845->850 846->847 848 401bf2-401bf6 847->848 849 401c15-401c17 847->849 848->849 853 401bf8-401bfb 848->853 849->840 850->844 850->845 856 401c06-401c13 call 402b98 853->856 857 401bfd-401c03 853->857 856->841 856->849 857->856
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00401B5D
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                                                              • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                                                              • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                                              • API String ID: 514930453-3667123677
                                                                                                              • Opcode ID: 4786119c2dd8152e4b47b2a924d6ecb004799f19bdb0843ab8028876a5fcac46
                                                                                                              • Instruction ID: 9300e3b8f0653b0f10764aaa79a1f2494f67c894d04353eb45b18fdb2f867aae
                                                                                                              • Opcode Fuzzy Hash: 4786119c2dd8152e4b47b2a924d6ecb004799f19bdb0843ab8028876a5fcac46
                                                                                                              • Instruction Fuzzy Hash: 9621B870944109AFEF11DF65C944BEF7BB8EF41344F1440BAE504B22E1E778A985CB69
                                                                                                              Function 02C1F8DE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 910 2c1f8de-2c1f901 LoadLibraryA 911 2c1f9c1-2c1f9c8 910->911 912 2c1f907-2c1f915 GetProcAddress 910->912 913 2c1f91b-2c1f92b 912->913 914 2c1f9ba-2c1f9bb FreeLibrary 912->914 915 2c1f92d-2c1f939 GetAdaptersInfo 913->915 914->911 916 2c1f971-2c1f979 915->916 917 2c1f93b 915->917 918 2c1f982-2c1f987 916->918 919 2c1f97b-2c1f981 call 2c236eb 916->919 920 2c1f93d-2c1f944 917->920 924 2c1f9b5-2c1f9b9 918->924 925 2c1f989-2c1f98c 918->925 919->918 921 2c1f946-2c1f94a 920->921 922 2c1f94e-2c1f956 920->922 921->920 926 2c1f94c 921->926 927 2c1f959-2c1f95e 922->927 924->914 925->924 929 2c1f98e-2c1f993 925->929 926->916 927->927 930 2c1f960-2c1f96d call 2c1f62d 927->930 931 2c1f9a0-2c1f9ab call 2c23a8f 929->931 932 2c1f995-2c1f99d 929->932 930->916 931->924 937 2c1f9ad-2c1f9b0 931->937 932->931 937->915
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02C1F8F4
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C1F90D
                                                                                                              • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02C1F932
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 02C1F9BB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                              • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                                              • API String ID: 514930453-3114217049
                                                                                                              • Opcode ID: 23479cfb562e8d31988de27f9cc247c064010b8a5f2bb1f8272f43876beca9cf
                                                                                                              • Instruction ID: e150ac0f5369088991e487571d4ec73b3590dcfbea904da0bfceb674adee4d81
                                                                                                              • Opcode Fuzzy Hash: 23479cfb562e8d31988de27f9cc247c064010b8a5f2bb1f8272f43876beca9cf
                                                                                                              • Instruction Fuzzy Hash: 0621DB75D04309ABDB10EF69D881AEEB7F9AF46310F0441ADD545E7605DB308A45DBA0
                                                                                                              Function 02C1F7DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 995 2c1f7da-2c1f805 CreateFileA 996 2c1f8d6-2c1f8dd 995->996 997 2c1f80b-2c1f820 995->997 998 2c1f823-2c1f845 DeviceIoControl 997->998 999 2c1f847-2c1f84f 998->999 1000 2c1f87e-2c1f886 998->1000 1003 2c1f851-2c1f856 999->1003 1004 2c1f858-2c1f85d 999->1004 1001 2c1f888-2c1f88e call 2c236eb 1000->1001 1002 2c1f88f-2c1f891 1000->1002 1001->1002 1006 2c1f893-2c1f896 1002->1006 1007 2c1f8cc-2c1f8d5 CloseHandle 1002->1007 1003->1000 1004->1000 1008 2c1f85f-2c1f867 1004->1008 1011 2c1f8b2-2c1f8bf call 2c23a8f 1006->1011 1012 2c1f898-2c1f8a1 GetLastError 1006->1012 1007->996 1009 2c1f86a-2c1f86f 1008->1009 1009->1009 1013 2c1f871-2c1f87d call 2c1f62d 1009->1013 1011->1007 1019 2c1f8c1-2c1f8c7 1011->1019 1012->1007 1014 2c1f8a3-2c1f8a6 1012->1014 1013->1000 1014->1011 1017 2c1f8a8-2c1f8af 1014->1017 1017->1011 1019->998
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02C1F7F9
                                                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02C1F837
                                                                                                              • GetLastError.KERNEL32 ref: 02C1F898
                                                                                                              • CloseHandle.KERNEL32(?), ref: 02C1F8CF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                                              • String ID: \\.\PhysicalDrive0
                                                                                                              • API String ID: 4026078076-1180397377
                                                                                                              • Opcode ID: 3281fa739138dc4124f2ccde4cbc06ee30bfcd14074c9836ce5218264f70daaf
                                                                                                              • Instruction ID: 59d972c28745179cd0d4fb4623b680eb43bdc7b91d7b956ff84dc46fc1c4ff4e
                                                                                                              • Opcode Fuzzy Hash: 3281fa739138dc4124f2ccde4cbc06ee30bfcd14074c9836ce5218264f70daaf
                                                                                                              • Instruction Fuzzy Hash: A031BE71D0031AABEB24CF95C885BAEBBB8EF47714F20026EE504A3680D7705B04DBD0
                                                                                                              Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1021 401a4f-401a77 CreateFileA 1022 401b45-401b4a 1021->1022 1023 401a7d-401a91 1021->1023 1024 401a98-401ac0 DeviceIoControl 1023->1024 1025 401ac2-401aca 1024->1025 1026 401af3-401afb 1024->1026 1027 401ad4-401ad9 1025->1027 1028 401acc-401ad2 1025->1028 1029 401b04-401b07 1026->1029 1030 401afd-401b03 call 402ba6 1026->1030 1027->1026 1031 401adb-401af1 call 402bc0 call 4018cc 1027->1031 1028->1026 1033 401b09-401b0c 1029->1033 1034 401b3a-401b44 CloseHandle 1029->1034 1030->1029 1031->1026 1037 401b27-401b34 call 402b98 1033->1037 1038 401b0e-401b17 GetLastError 1033->1038 1034->1022 1037->1024 1037->1034 1038->1034 1041 401b19-401b1c 1038->1041 1041->1037 1042 401b1e-401b24 1041->1042 1042->1037
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                                                              • DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                                                              • GetLastError.KERNEL32 ref: 00401B0E
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00401B3D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                                              • String ID: \\.\PhysicalDrive0
                                                                                                              • API String ID: 4026078076-1180397377
                                                                                                              • Opcode ID: a2e68a95d94bbc6a40bee8a11280b17da373fae52957672b226b91710cefcd17
                                                                                                              • Instruction ID: c07866d4b4e887281577b2397114bebd63d98cfae9bba907e2345ee80fd6f57b
                                                                                                              • Opcode Fuzzy Hash: a2e68a95d94bbc6a40bee8a11280b17da373fae52957672b226b91710cefcd17
                                                                                                              • Instruction Fuzzy Hash: 00316D71D01118EACB21EFA5CD849EFBBB9FF41750F20417AE515B22A0E3786E45CB98
                                                                                                              Function 02C163D2 Relevance: 68.5, APIs: 34, Strings: 5, Instructions: 268COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 213 2c163d2-2c163ec 214 2c16469-2c1646e 213->214 215 2c163ee-2c1640d 213->215 216 2c16470-2c16473 214->216 217 2c1649c-2c166f1 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2c142c7 GetTickCount call 2c1605a GetVersionExA call 2c24a30 call 2c22eec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2c24a30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2c22eec * 4 QueryPerformanceCounter Sleep call 2c22eec * 2 call 2c24a30 * 2 214->217 218 2c16480-2c1648a 216->218 219 2c16475-2c1647f 216->219 264 2c166f4-2c166f6 217->264 219->218 265 2c166f8-2c166fd 264->265 266 2c166ff-2c16701 264->266 267 2c16708 Sleep 265->267 268 2c16703 266->268 269 2c1670e-2c16742 RtlEnterCriticalSection RtlLeaveCriticalSection 266->269 267->269 268->267 270 2c16792 269->270 271 2c16744-2c16750 269->271 272 2c16796-2c172c3 InternetOpenA 270->272 271->270 273 2c16752-2c1675f 271->273 277 2c17389-2c1738f 272->277 278 2c172c9-2c17340 InternetSetOptionA * 3 call 2c24a30 InternetOpenUrlA 272->278 275 2c16761-2c16765 273->275 276 2c16767-2c16768 273->276 279 2c1676c-2c16790 call 2c24a30 * 2 275->279 276->279 281 2c17391-2c17397 277->281 282 2c173ab-2c173b9 277->282 290 2c17382-2c17383 InternetCloseHandle 278->290 291 2c17342 278->291 279->272 286 2c17399-2c1739b 281->286 287 2c1739d-2c173aa call 2c153ec 281->287 282->264 284 2c173bf-2c173e3 call 2c24a30 call 2c1439c 282->284 284->264 302 2c173e9-2c17417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2c2227c 284->302 286->282 287->282 290->277 297 2c17346-2c1736c InternetReadFile 291->297 299 2c17377-2c1737e InternetCloseHandle 297->299 300 2c1736e-2c17375 297->300 299->290 300->297 305 2c17419-2c1742b call 2c2227c 302->305 306 2c1746d-2c17488 call 2c2227c 302->306 305->306 313 2c1742d-2c1743f call 2c2227c 305->313 311 2c17742-2c17754 call 2c2227c 306->311 312 2c1748e-2c17490 306->312 321 2c17756-2c17758 311->321 322 2c1779d-2c177af call 2c2227c 311->322 312->311 315 2c17496-2c17548 call 2c22eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2c24a30 * 5 call 2c1439c * 2 312->315 313->306 320 2c17441-2c17453 call 2c2227c 313->320 379 2c17585 315->379 380 2c1754a-2c1754c 315->380 320->306 332 2c17455-2c17467 call 2c2227c 320->332 321->322 326 2c1775a-2c17798 call 2c24a30 RtlEnterCriticalSection RtlLeaveCriticalSection 321->326 333 2c177b1-2c177cb call 2c161f5 call 2c16303 call 2c1640e 322->333 334 2c177d0-2c177e2 call 2c2227c 322->334 326->264 332->264 332->306 333->264 347 2c17b00-2c17b12 call 2c2227c 334->347 348 2c177e8-2c177ea 334->348 347->264 360 2c17b18-2c17b46 call 2c22eec call 2c24a30 call 2c1439c 347->360 348->347 352 2c177f0-2c17807 call 2c1439c 348->352 352->264 361 2c1780d-2c178db call 2c22358 call 2c11ba7 352->361 381 2c17b48-2c17b4a call 2c1534d 360->381 382 2c17b4f-2c17b56 call 2c22eb4 360->382 377 2c178e2-2c17903 RtlEnterCriticalSection 361->377 378 2c178dd call 2c1143f 361->378 385 2c17905-2c1790c 377->385 386 2c1790f-2c17973 RtlLeaveCriticalSection call 2c13c67 call 2c13d7e call 2c18272 377->386 378->377 383 2c17589-2c175b7 call 2c22eec call 2c24a30 call 2c1439c 379->383 380->379 387 2c1754e-2c17560 call 2c2227c 380->387 381->382 382->264 410 2c175b9-2c175c8 call 2c23529 383->410 411 2c175f8-2c17601 call 2c22eb4 383->411 385->386 408 2c17ae7-2c17afb call 2c18f3a 386->408 409 2c17979-2c179c1 call 2c1a65c 386->409 387->379 399 2c17562-2c17583 call 2c1439c 387->399 399->383 408->264 420 2c17ab1-2c17ae2 call 2c18321 call 2c133b2 409->420 421 2c179c7-2c179ce 409->421 410->411 424 2c175ca 410->424 422 2c17607-2c1761f call 2c23a8f 411->422 423 2c17738-2c1773b 411->423 420->408 426 2c179d1-2c179d6 421->426 436 2c17621-2c17629 call 2c1966e 422->436 437 2c1762b 422->437 423->311 428 2c175cf-2c175e1 call 2c22790 424->428 426->426 430 2c179d8-2c17a23 call 2c1a65c 426->430 438 2c175e3 428->438 439 2c175e6-2c175f6 call 2c23529 428->439 430->420 445 2c17a29-2c17a2f 430->445 442 2c1762d-2c176e5 call 2c1a786 call 2c13863 call 2c15119 call 2c13863 call 2c1aa2c call 2c1ab46 436->442 437->442 438->439 439->411 439->428 466 2c176e7 call 2c1380b 442->466 467 2c176ec-2c17717 Sleep call 2c21830 442->467 449 2c17a32-2c17a37 445->449 449->449 451 2c17a39-2c17a74 call 2c1a65c 449->451 451->420 457 2c17a76-2c17ab0 call 2c1d04e 451->457 457->420 466->467 471 2c17723-2c17731 467->471 472 2c17719-2c17722 call 2c14100 467->472 471->423 474 2c17733 call 2c1380b 471->474 472->471 474->423
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                                              • API String ID: 0-2678694477
                                                                                                              • Opcode ID: 2bbf15161037932f6f43ad5dd3085990d57960ec246aed5fc962515618e7f027
                                                                                                              • Instruction ID: 7c862f3754d75f20593795396fb72b654d84cddd12dd3023cae278016371720f
                                                                                                              • Opcode Fuzzy Hash: 2bbf15161037932f6f43ad5dd3085990d57960ec246aed5fc962515618e7f027
                                                                                                              • Instruction Fuzzy Hash: 1681B4B1D443509FE321AB349C45B5BBBE9EF86320F100C2AF989D7250DB749809EF96
                                                                                                              Function 02C11CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C11D11
                                                                                                              • GetLastError.KERNEL32 ref: 02C11D23
                                                                                                                • Part of subcall function 02C11712: __EH_prolog.LIBCMT ref: 02C11717
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C11D59
                                                                                                              • GetLastError.KERNEL32 ref: 02C11D6B
                                                                                                              • __beginthreadex.LIBCMT ref: 02C11DB1
                                                                                                              • GetLastError.KERNEL32 ref: 02C11DC6
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C11DDD
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C11DEC
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02C11E14
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C11E1B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                                              • String ID: thread$thread.entry_event$thread.exit_event
                                                                                                              • API String ID: 831262434-3017686385
                                                                                                              • Opcode ID: e147d9cb6b7ffc6880c14cda7c457a4bdfc49922a798bdc05ddedd5109533386
                                                                                                              • Instruction ID: 6e0bd396fa27713d3cfc2acddc69570e081c2b4858f534eb8ac19995c4d6f8c6
                                                                                                              • Opcode Fuzzy Hash: e147d9cb6b7ffc6880c14cda7c457a4bdfc49922a798bdc05ddedd5109533386
                                                                                                              • Instruction Fuzzy Hash: 0731ADB1A003109FD700EF20C889B2BBBA5FF85310F14496DF9599B290DB749949DFD2
                                                                                                              Function 02C14D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C14D8B
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C14DB7
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C14DC3
                                                                                                                • Part of subcall function 02C14BED: __EH_prolog.LIBCMT ref: 02C14BF2
                                                                                                                • Part of subcall function 02C14BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02C14CF2
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C14E93
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C14E99
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C14EA0
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C14EA6
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C150A7
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C150AD
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C150B8
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C150C1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                                              • String ID:
                                                                                                              • API String ID: 2062355503-0
                                                                                                              • Opcode ID: 73e727efc2af5f44d4e36cc11d4e1acdb5b34359d4e24b69f6a0c7d9b9a85f1c
                                                                                                              • Instruction ID: 0a34007bea6a931cbd514293fe6c8e9c1f7ff52cf0f034547cd719ec438f6dff
                                                                                                              • Opcode Fuzzy Hash: 73e727efc2af5f44d4e36cc11d4e1acdb5b34359d4e24b69f6a0c7d9b9a85f1c
                                                                                                              • Instruction Fuzzy Hash: 79B17E71D0425DDFEF25DFA0C841BEEBBB5AF46304F10409AE40976280DB745A49EFA2
                                                                                                              Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 862 401f64-401f84 FindResourceA 863 401f86-401f9d GetLastError SizeofResource 862->863 864 401f9f-401fa1 862->864 863->864 865 401fa6-401fec LoadResource LockResource GlobalAlloc call 402800 * 2 863->865 866 402096-40209a 864->866 871 401fee-401ff9 865->871 871->871 872 401ffb-402003 GetTickCount 871->872 873 402032-402038 872->873 874 402005-402007 872->874 875 402053-402083 GlobalAlloc call 401c26 873->875 877 40203a-40204a 873->877 874->875 876 402009-40200f 874->876 882 402088-402093 875->882 876->875 879 402011-402023 876->879 880 40204c 877->880 881 40204e-402051 877->881 883 402025 879->883 884 402027-40202a 879->884 880->881 881->875 881->877 882->866 883->884 884->879 885 40202c-40202e 884->885 885->876 886 402030 885->886 886->875
                                                                                                              APIs
                                                                                                              • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                                                              • GetLastError.KERNEL32 ref: 00401F86
                                                                                                              • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                                              • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                                                              • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                                                              • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                                                                              • GetTickCount.KERNEL32 ref: 00401FFB
                                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                                              • String ID:
                                                                                                              • API String ID: 564119183-0
                                                                                                              • Opcode ID: c339dbb3d4f54c4bfe23240511e1faf338c1a50a53de60f6f0a2310917010a4d
                                                                                                              • Instruction ID: 3f373f2fe47a9e58058ec223940fe379f908771e1a31376a549d0366c6000c22
                                                                                                              • Opcode Fuzzy Hash: c339dbb3d4f54c4bfe23240511e1faf338c1a50a53de60f6f0a2310917010a4d
                                                                                                              • Instruction Fuzzy Hash: D0314C32A402516FDB109FB99E889AF7FB8EF45344B10807AFA46F7291D6748841C7A8
                                                                                                              Function 02C126DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C12706
                                                                                                              • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C1272B
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C35A93), ref: 02C12738
                                                                                                                • Part of subcall function 02C11712: __EH_prolog.LIBCMT ref: 02C11717
                                                                                                              • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02C12778
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C127D9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                              • String ID: timer
                                                                                                              • API String ID: 4293676635-1792073242
                                                                                                              • Opcode ID: 2d815fdd4d07a157ccbcfc567aa6c86c40e25b2247c70461f6fcde4a611e993a
                                                                                                              • Instruction ID: 70be58b72c3f6df1f3323bd0974226f1bf0361f61b63e7a7ff7d7eeb1e083963
                                                                                                              • Opcode Fuzzy Hash: 2d815fdd4d07a157ccbcfc567aa6c86c40e25b2247c70461f6fcde4a611e993a
                                                                                                              • Instruction Fuzzy Hash: 5B31ABB1944716AFD310DF65C985B27BBE8FF49724F004A2EF85582A80E770A914DFD2
                                                                                                              Function 02C12B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 938 2c12b95-2c12baf 939 2c12bb1-2c12bb9 call 2c20a50 938->939 940 2c12bc7-2c12bcb 938->940 947 2c12bbf-2c12bc2 939->947 941 2c12bcd-2c12bd0 940->941 942 2c12bdf 940->942 941->942 945 2c12bd2-2c12bdd call 2c20a50 941->945 946 2c12be2-2c12c11 WSASetLastError WSARecv call 2c1a440 942->946 945->947 952 2c12c16-2c12c1d 946->952 950 2c12d30 947->950 953 2c12d32-2c12d38 950->953 954 2c12c2c-2c12c32 952->954 955 2c12c1f-2c12c2a call 2c20a50 952->955 957 2c12c34-2c12c39 call 2c20a50 954->957 958 2c12c46-2c12c48 954->958 966 2c12c3f-2c12c42 955->966 957->966 960 2c12c4a-2c12c4d 958->960 961 2c12c4f-2c12c60 call 2c20a50 958->961 964 2c12c66-2c12c69 960->964 961->953 961->964 968 2c12c73-2c12c76 964->968 969 2c12c6b-2c12c6d 964->969 966->958 968->950 971 2c12c7c-2c12c9a call 2c20a50 call 2c1166f 968->971 969->968 970 2c12d22-2c12d2d call 2c11996 969->970 970->950 978 2c12cbc-2c12cfa WSASetLastError select call 2c1a440 971->978 979 2c12c9c-2c12cba call 2c20a50 call 2c1166f 971->979 985 2c12d08 978->985 986 2c12cfc-2c12d06 call 2c20a50 978->986 979->950 979->978 989 2c12d15-2c12d17 985->989 990 2c12d0a-2c12d12 call 2c20a50 985->990 991 2c12d19-2c12d1d 986->991 989->950 989->991 990->989 991->946
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02C12BE4
                                                                                                              • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02C12C07
                                                                                                                • Part of subcall function 02C1A440: WSAGetLastError.WS2_32(00000000,?,?,02C12A51), ref: 02C1A44E
                                                                                                              • WSASetLastError.WS2_32 ref: 02C12CD3
                                                                                                              • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02C12CE7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$Recvselect
                                                                                                              • String ID: 3'
                                                                                                              • API String ID: 886190287-280543908
                                                                                                              • Opcode ID: ae477f16954e1cf7c69366b49ed6a27687c18250e37014fc87d0262182c371db
                                                                                                              • Instruction ID: e350d9e38d2c0e6a3bc1e61062efe6b507b6b8ddf605187939a0c53d7604ffa2
                                                                                                              • Opcode Fuzzy Hash: ae477f16954e1cf7c69366b49ed6a27687c18250e37014fc87d0262182c371db
                                                                                                              • Instruction Fuzzy Hash: 4A418BB5904311CFD710EF74C80676BBBE9BF86364F10491EE89A83280EB74D544EB92
                                                                                                              Function 02C17BC2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63sleepCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1046 2c17bc2-2c17bc4 1047 2c17bc6-2c17bd8 1046->1047 1048 2c17b48-2c17b4a call 2c1534d 1046->1048 1050 2c17b4f-2c17b56 call 2c22eb4 1048->1050 1053 2c166f4-2c166f6 1050->1053 1054 2c166f8-2c166fd 1053->1054 1055 2c166ff-2c16701 1053->1055 1056 2c16708 Sleep 1054->1056 1057 2c16703 1055->1057 1058 2c1670e-2c16742 RtlEnterCriticalSection RtlLeaveCriticalSection 1055->1058 1056->1058 1057->1056 1059 2c16792 1058->1059 1060 2c16744-2c16750 1058->1060 1061 2c16796-2c172c3 InternetOpenA 1059->1061 1060->1059 1062 2c16752-2c1675f 1060->1062 1066 2c17389-2c1738f 1061->1066 1067 2c172c9-2c17340 InternetSetOptionA * 3 call 2c24a30 InternetOpenUrlA 1061->1067 1064 2c16761-2c16765 1062->1064 1065 2c16767-2c16768 1062->1065 1068 2c1676c-2c16790 call 2c24a30 * 2 1064->1068 1065->1068 1070 2c17391-2c17397 1066->1070 1071 2c173ab-2c173b9 1066->1071 1079 2c17382-2c17383 InternetCloseHandle 1067->1079 1080 2c17342 1067->1080 1068->1061 1075 2c17399-2c1739b 1070->1075 1076 2c1739d-2c173aa call 2c153ec 1070->1076 1071->1053 1073 2c173bf-2c173e3 call 2c24a30 call 2c1439c 1071->1073 1073->1053 1091 2c173e9-2c17417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2c2227c 1073->1091 1075->1071 1076->1071 1079->1066 1086 2c17346-2c1736c InternetReadFile 1080->1086 1088 2c17377-2c1737e InternetCloseHandle 1086->1088 1089 2c1736e-2c17375 1086->1089 1088->1079 1089->1086 1094 2c17419-2c1742b call 2c2227c 1091->1094 1095 2c1746d-2c17488 call 2c2227c 1091->1095 1094->1095 1102 2c1742d-2c1743f call 2c2227c 1094->1102 1100 2c17742-2c17754 call 2c2227c 1095->1100 1101 2c1748e-2c17490 1095->1101 1110 2c17756-2c17758 1100->1110 1111 2c1779d-2c177af call 2c2227c 1100->1111 1101->1100 1104 2c17496-2c17548 call 2c22eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2c24a30 * 5 call 2c1439c * 2 1101->1104 1102->1095 1109 2c17441-2c17453 call 2c2227c 1102->1109 1168 2c17585 1104->1168 1169 2c1754a-2c1754c 1104->1169 1109->1095 1121 2c17455-2c17467 call 2c2227c 1109->1121 1110->1111 1115 2c1775a-2c17798 call 2c24a30 RtlEnterCriticalSection RtlLeaveCriticalSection 1110->1115 1122 2c177b1-2c177bf call 2c161f5 call 2c16303 1111->1122 1123 2c177d0-2c177e2 call 2c2227c 1111->1123 1115->1053 1121->1053 1121->1095 1139 2c177c4-2c177cb call 2c1640e 1122->1139 1136 2c17b00-2c17b12 call 2c2227c 1123->1136 1137 2c177e8-2c177ea 1123->1137 1136->1053 1149 2c17b18-2c17b46 call 2c22eec call 2c24a30 call 2c1439c 1136->1149 1137->1136 1141 2c177f0-2c17807 call 2c1439c 1137->1141 1139->1053 1141->1053 1150 2c1780d-2c178db call 2c22358 call 2c11ba7 1141->1150 1149->1048 1149->1050 1166 2c178e2-2c17903 RtlEnterCriticalSection 1150->1166 1167 2c178dd call 2c1143f 1150->1167 1172 2c17905-2c1790c 1166->1172 1173 2c1790f-2c17973 RtlLeaveCriticalSection call 2c13c67 call 2c13d7e call 2c18272 1166->1173 1167->1166 1170 2c17589-2c175b7 call 2c22eec call 2c24a30 call 2c1439c 1168->1170 1169->1168 1174 2c1754e-2c17560 call 2c2227c 1169->1174 1194 2c175b9-2c175c8 call 2c23529 1170->1194 1195 2c175f8-2c17601 call 2c22eb4 1170->1195 1172->1173 1192 2c17ae7-2c17afb call 2c18f3a 1173->1192 1193 2c17979-2c179c1 call 2c1a65c 1173->1193 1174->1168 1183 2c17562-2c17583 call 2c1439c 1174->1183 1183->1170 1192->1053 1204 2c17ab1-2c17ae2 call 2c18321 call 2c133b2 1193->1204 1205 2c179c7-2c179ce 1193->1205 1194->1195 1208 2c175ca 1194->1208 1206 2c17607-2c1761f call 2c23a8f 1195->1206 1207 2c17738-2c1773b 1195->1207 1204->1192 1210 2c179d1-2c179d6 1205->1210 1220 2c17621-2c17629 call 2c1966e 1206->1220 1221 2c1762b 1206->1221 1207->1100 1212 2c175cf-2c175e1 call 2c22790 1208->1212 1210->1210 1214 2c179d8-2c17a23 call 2c1a65c 1210->1214 1222 2c175e3 1212->1222 1223 2c175e6-2c175f6 call 2c23529 1212->1223 1214->1204 1229 2c17a29-2c17a2f 1214->1229 1226 2c1762d-2c176cf call 2c1a786 call 2c13863 call 2c15119 call 2c13863 call 2c1aa2c call 2c1ab46 1220->1226 1221->1226 1222->1223 1223->1195 1223->1212 1249 2c176d4-2c176e5 1226->1249 1233 2c17a32-2c17a37 1229->1233 1233->1233 1235 2c17a39-2c17a74 call 2c1a65c 1233->1235 1235->1204 1241 2c17a76-2c17aaa call 2c1d04e 1235->1241 1244 2c17aaf-2c17ab0 1241->1244 1244->1204 1250 2c176e7 call 2c1380b 1249->1250 1251 2c176ec-2c17717 Sleep call 2c21830 1249->1251 1250->1251 1255 2c17723-2c17731 1251->1255 1256 2c17719-2c17722 call 2c14100 1251->1256 1255->1207 1258 2c17733 call 2c1380b 1255->1258 1256->1255 1258->1207
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(0000EA60), ref: 02C16708
                                                                                                              • RtlEnterCriticalSection.NTDLL(02C471B8), ref: 02C16713
                                                                                                              • RtlLeaveCriticalSection.NTDLL(02C471B8), ref: 02C16724
                                                                                                              • _free.LIBCMT ref: 02C17B50
                                                                                                              Strings
                                                                                                              • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02C16739
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeaveSleep_free
                                                                                                              • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                              • API String ID: 2653569029-1923541051
                                                                                                              • Opcode ID: d28b4dfd320325bce79806934cb6d4316a87da43422d22307f894c694ad779de
                                                                                                              • Instruction ID: 18d840b06821fc1e05505d326b1d8957ca5e8d44122b3d94e112705c46bcea5c
                                                                                                              • Opcode Fuzzy Hash: d28b4dfd320325bce79806934cb6d4316a87da43422d22307f894c694ad779de
                                                                                                              • Instruction Fuzzy Hash: 0711E371D483509BE7109B249C4679BBBEAAF86720F204C25F58697240DB715514EBD2
                                                                                                              Function 0040228B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40timeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetModuleFileNameA.KERNEL32 ref: 0040B305
                                                                                                              • GetCommandLineW.KERNEL32(?), ref: 0040B324
                                                                                                              • CommandLineToArgvW.SHELL32(00000000), ref: 0040B655
                                                                                                              • GetLocalTime.KERNEL32(00409F90), ref: 0040B878
                                                                                                              Strings
                                                                                                              • Eclipse IO Library 9.27.43, xrefs: 0040B30B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CommandLine$ArgvFileLocalModuleNameTime
                                                                                                              • String ID: Eclipse IO Library 9.27.43
                                                                                                              • API String ID: 1042648101-2124222407
                                                                                                              • Opcode ID: 4ea5313fc702dad747c75675afa4d068a86737ebefe062ed9685430f81578187
                                                                                                              • Instruction ID: dc972e520a3a1c25a8e085b75d184a989db7c982d5ef784bdd5d1ca802e4f2f6
                                                                                                              • Opcode Fuzzy Hash: 4ea5313fc702dad747c75675afa4d068a86737ebefe062ed9685430f81578187
                                                                                                              • Instruction Fuzzy Hash: 1701D131848282EFC70097A18C5D5687BE4EE0635132584BFE193AB0E3CB3C4492DB5E
                                                                                                              Function 02C129EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1269 2c129ee-2c12a06 1270 2c12ab3-2c12abb call 2c20a50 1269->1270 1271 2c12a0c-2c12a10 1269->1271 1280 2c12abe-2c12ac6 1270->1280 1272 2c12a12-2c12a15 1271->1272 1273 2c12a39-2c12a4c WSASetLastError closesocket call 2c1a440 1271->1273 1272->1273 1275 2c12a17-2c12a36 call 2c20a50 call 2c12f50 1272->1275 1279 2c12a51-2c12a55 1273->1279 1275->1273 1279->1270 1282 2c12a57-2c12a5f call 2c20a50 1279->1282 1287 2c12a61-2c12a67 1282->1287 1288 2c12a69-2c12a71 call 2c20a50 1282->1288 1287->1288 1289 2c12a7b-2c12aad ioctlsocket WSASetLastError closesocket call 2c1a440 1287->1289 1293 2c12a73-2c12a79 1288->1293 1294 2c12aaf-2c12ab1 1288->1294 1289->1294 1293->1289 1293->1294 1294->1270 1294->1280
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02C12A3B
                                                                                                              • closesocket.WS2_32 ref: 02C12A42
                                                                                                              • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02C12A89
                                                                                                              • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02C12A97
                                                                                                              • closesocket.WS2_32 ref: 02C12A9E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                                              • String ID:
                                                                                                              • API String ID: 1561005644-0
                                                                                                              • Opcode ID: bd8630fc911cd9861925bf9a8406226426a41a38390632ff36cff5f8f587f846
                                                                                                              • Instruction ID: ed1b0f376fbd3d807c4d73b1ab12c3e210cb51551a76111edce19aee9509333a
                                                                                                              • Opcode Fuzzy Hash: bd8630fc911cd9861925bf9a8406226426a41a38390632ff36cff5f8f587f846
                                                                                                              • Instruction Fuzzy Hash: 6A213DB5D40215EFDB209BB8C905B6AB7E9EF85315F10496EEC05C32C0EB70CA44DB52
                                                                                                              Function 02C11BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C11BAC
                                                                                                              • RtlEnterCriticalSection.NTDLL ref: 02C11BBC
                                                                                                              • RtlLeaveCriticalSection.NTDLL ref: 02C11BEA
                                                                                                              • RtlEnterCriticalSection.NTDLL ref: 02C11C13
                                                                                                              • RtlLeaveCriticalSection.NTDLL ref: 02C11C56
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                                              • String ID:
                                                                                                              • API String ID: 1633115879-0
                                                                                                              • Opcode ID: d9cb1b7a4e7c6f8d392a5bee78d01430341b72a80da156cd39f8136ff140a8cf
                                                                                                              • Instruction ID: 389a01f3bde274b5437ad23f1aca3cf14c1667e66fe06b86bc3af39ac23ec971
                                                                                                              • Opcode Fuzzy Hash: d9cb1b7a4e7c6f8d392a5bee78d01430341b72a80da156cd39f8136ff140a8cf
                                                                                                              • Instruction Fuzzy Hash: 1421BCB5A00604EFCB14CF68C44479ABBB5FF89314F14898AE91997301DBB8EA05DBE0
                                                                                                              Function 00402D60 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersion.KERNEL32 ref: 00402D86
                                                                                                                • Part of subcall function 004039F0: HeapCreate.KERNEL32(00000000,00001000,00000000,00402DBF,00000000), ref: 00403A01
                                                                                                                • Part of subcall function 004039F0: HeapDestroy.KERNEL32 ref: 00403A40
                                                                                                              • GetCommandLineA.KERNEL32 ref: 00402DD4
                                                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00402DFF
                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402E22
                                                                                                                • Part of subcall function 00402E7B: ExitProcess.KERNEL32 ref: 00402E98
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                                              • String ID:
                                                                                                              • API String ID: 2057626494-0
                                                                                                              • Opcode ID: 9e286e5f9a377e3797ece88135c359dedbbb575cc14907a13f37508a60b21901
                                                                                                              • Instruction ID: f31f1ce04d2051e6b9e8acf883bbbbaa5bd69f55a1c9941ff1c46623f1a3e60c
                                                                                                              • Opcode Fuzzy Hash: 9e286e5f9a377e3797ece88135c359dedbbb575cc14907a13f37508a60b21901
                                                                                                              • Instruction Fuzzy Hash: AD219FB0840715AADB04EFA6DE09A6E7BB8EB04704F10413FF502B72E2DB388510CB59
                                                                                                              Function 02C12EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02C12EEE
                                                                                                              • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02C12EFD
                                                                                                              • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02C12F0C
                                                                                                              • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02C12F36
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$Socketsetsockopt
                                                                                                              • String ID:
                                                                                                              • API String ID: 2093263913-0
                                                                                                              • Opcode ID: affb102a266d64ef700e92fdca85cab0854b418469608b9e321522007ada5a67
                                                                                                              • Instruction ID: 1462909d0c143ffa1ba1faa0d9ca9ef9a1d77544888c89cdc1122337e4cce707
                                                                                                              • Opcode Fuzzy Hash: affb102a266d64ef700e92fdca85cab0854b418469608b9e321522007ada5a67
                                                                                                              • Instruction Fuzzy Hash: E301D871940214FBDB205F65DC49F5ABBA9FB89721F008965F908CB180C7718904CBB0
                                                                                                              Function 02C50DFA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C4A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C4A000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c4a000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseFileHandleWrite
                                                                                                              • String ID: O~|
                                                                                                              • API String ID: 1769507746-3096879844
                                                                                                              • Opcode ID: 8761aa949d701eaee4ea452fdf01b94f1dd62ab8aebdd3d2cec3905bd78b212b
                                                                                                              • Instruction ID: 3eb15641f275d649f7dee94ca9aacba9493d10d5345c653e07e9d7da79dd7856
                                                                                                              • Opcode Fuzzy Hash: 8761aa949d701eaee4ea452fdf01b94f1dd62ab8aebdd3d2cec3905bd78b212b
                                                                                                              • Instruction Fuzzy Hash: 975138F290C614AFE315AE19EC85BBEFBE5EF84720F06492DE7C483600E6355845CA97
                                                                                                              Function 02C12DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02C12D39: WSASetLastError.WS2_32(00000000), ref: 02C12D47
                                                                                                                • Part of subcall function 02C12D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02C12D5C
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02C12E6D
                                                                                                              • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02C12E83
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$Sendselect
                                                                                                              • String ID: 3'
                                                                                                              • API String ID: 2958345159-280543908
                                                                                                              • Opcode ID: c8b0e632b0c56cf26963111d32fe38aeb4ea50990a4bc088eea384e40d728f40
                                                                                                              • Instruction ID: 0d090e47e7260f5410db249ef16652307f0a3c35aa5afa5ff9859ddae0063c60
                                                                                                              • Opcode Fuzzy Hash: c8b0e632b0c56cf26963111d32fe38aeb4ea50990a4bc088eea384e40d728f40
                                                                                                              • Instruction Fuzzy Hash: 8531C2B4E00229DFDB10EF60C806BEE7BAAFF46314F00455ADC0997280EB759555EFA2
                                                                                                              Function 02C12AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02C12AEA
                                                                                                              • connect.WS2_32(?,?,?), ref: 02C12AF5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastconnect
                                                                                                              • String ID: 3'
                                                                                                              • API String ID: 374722065-280543908
                                                                                                              • Opcode ID: e77a372b025d88859e9cee02b8382bdc2626e152da56f2e9c4072792d2ca3543
                                                                                                              • Instruction ID: 51aa2c280d4db58c250c2eac13c8b5b5a8fbdfe8e76f34b47e61f77edcbd432f
                                                                                                              • Opcode Fuzzy Hash: e77a372b025d88859e9cee02b8382bdc2626e152da56f2e9c4072792d2ca3543
                                                                                                              • Instruction Fuzzy Hash: 2821C975E00224EBCF10EFB4D405BAEBBBAEF85324F40459ADD1997280DB744605AF92
                                                                                                              Function 02C1353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog
                                                                                                              • String ID:
                                                                                                              • API String ID: 3519838083-0
                                                                                                              • Opcode ID: 5c3fe6c5e1ee611df3f65a6344ab6260ef32e1dae7c671887cbe2595c81b7a40
                                                                                                              • Instruction ID: d001f2467a11fc55c9c19f4fe725c362f3d7c7e36641d2ea447080652cf2baf7
                                                                                                              • Opcode Fuzzy Hash: 5c3fe6c5e1ee611df3f65a6344ab6260ef32e1dae7c671887cbe2595c81b7a40
                                                                                                              • Instruction Fuzzy Hash: BC514DB1904256DFCB05CF68C4426AABBB1FF49724F14819EE8299B380D7749A10DFA1
                                                                                                              Function 02C1369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 02C136A7
                                                                                                                • Part of subcall function 02C12420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C12432
                                                                                                                • Part of subcall function 02C12420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C12445
                                                                                                                • Part of subcall function 02C12420: RtlEnterCriticalSection.NTDLL(?), ref: 02C12454
                                                                                                                • Part of subcall function 02C12420: InterlockedExchange.KERNEL32(?,00000001), ref: 02C12469
                                                                                                                • Part of subcall function 02C12420: RtlLeaveCriticalSection.NTDLL(?), ref: 02C12470
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1601054111-0
                                                                                                              • Opcode ID: 5d2f025b7e699a649329da110a966b9a57fbc09d4ddd01ac809404366aec195c
                                                                                                              • Instruction ID: 17d32b71ac4289f6005d11c298c259f6892219dc0bed06fd21947102e7fd4ce8
                                                                                                              • Opcode Fuzzy Hash: 5d2f025b7e699a649329da110a966b9a57fbc09d4ddd01ac809404366aec195c
                                                                                                              • Instruction Fuzzy Hash: 061101B6200248ABDF218E14CC86FAA3B6AFF42358F004556FD528B290CB34D960EBD4
                                                                                                              Function 02C22030 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __beginthreadex.LIBCMT ref: 02C22046
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02C1A8C0,00000000), ref: 02C22077
                                                                                                              • ResumeThread.KERNEL32(?,?,?,?,?,00000002,02C1A8C0,00000000), ref: 02C22085
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleResumeThread__beginthreadex
                                                                                                              • String ID:
                                                                                                              • API String ID: 1685284544-0
                                                                                                              • Opcode ID: d373419b012e1c506912d527e9275d7877649e74cbbf5b0d2b54c83fef8f4f51
                                                                                                              • Instruction ID: 1282aac6b5f340c6c5e617868d9147d9702cbdf5a5339ba868821d355bfdd77a
                                                                                                              • Opcode Fuzzy Hash: d373419b012e1c506912d527e9275d7877649e74cbbf5b0d2b54c83fef8f4f51
                                                                                                              • Instruction Fuzzy Hash: 99F062716402116BE7209E6CDC84F91B3E8AF88725F24096AF658D7294CB71E89ADAD0
                                                                                                              Function 02C11AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedIncrement.KERNEL32(02C4727C), ref: 02C11ABA
                                                                                                              • WSAStartup.WS2_32(00000002,00000000), ref: 02C11ACB
                                                                                                              • InterlockedExchange.KERNEL32(02C47280,00000000), ref: 02C11AD7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked$ExchangeIncrementStartup
                                                                                                              • String ID:
                                                                                                              • API String ID: 1856147945-0
                                                                                                              • Opcode ID: 0d38ef1acb0027b1e9b59a74c7d3bd93a4d3a553b50861b818d78622bdc1bf07
                                                                                                              • Instruction ID: 4beca39359cf40ec3b1589362cf4d592441d1fee4c2a83fff3517e527a538844
                                                                                                              • Opcode Fuzzy Hash: 0d38ef1acb0027b1e9b59a74c7d3bd93a4d3a553b50861b818d78622bdc1bf07
                                                                                                              • Instruction Fuzzy Hash: 35D05EB1DD02089BF62066A0AE0FB79F72CE706611F000F61FDAAC04C0EB61562C85E6
                                                                                                              Function 02CAA471 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C4A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C4A000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c4a000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID: #rZ*
                                                                                                              • API String ID: 823142352-1599676410
                                                                                                              • Opcode ID: b8aa41df4191c2ff839fd72e7d5db4d2a1b1ccaf9709ecb315b5a850be0fd349
                                                                                                              • Instruction ID: 01304e08ac62fa6c315ebb00a9743d1b0bda89e7f0c48aabfbd1f9ecaa5e0ff4
                                                                                                              • Opcode Fuzzy Hash: b8aa41df4191c2ff839fd72e7d5db4d2a1b1ccaf9709ecb315b5a850be0fd349
                                                                                                              • Instruction Fuzzy Hash: AC51F3F360C304AFE7157E29DC917BEBBD8EB94320F56062DE7C543741EA3558008696
                                                                                                              Function 0040B225 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders), ref: 0040B4E4
                                                                                                              Strings
                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040B225
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Open
                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                              • API String ID: 71445658-2036018995
                                                                                                              • Opcode ID: 2d5df7d603607d83e32ea2335fe1407f5733ee9528a5b9de8f12e11e9caffe9b
                                                                                                              • Instruction ID: f16a4debd6cc5e3d1dbfd8abfc7b9284dcc8268b12d4951e383af56c0e44f276
                                                                                                              • Opcode Fuzzy Hash: 2d5df7d603607d83e32ea2335fe1407f5733ee9528a5b9de8f12e11e9caffe9b
                                                                                                              • Instruction Fuzzy Hash: E0D0223030C102E6D7004AA0A8093767354E700390F300E33D603F00C1E3BD880AA1AF
                                                                                                              Function 00402160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryValueExA.KERNEL32(?,Common AppData), ref: 0040B6C9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue
                                                                                                              • String ID: Common AppData
                                                                                                              • API String ID: 3660427363-2574214464
                                                                                                              • Opcode ID: c55fb4e1a784324d5c4b3e7555b2ea64966d792e9b16d82899e36bc418aedae3
                                                                                                              • Instruction ID: 17a911c67b51cd0d4472802b1d1215ce876cf38fed415aecc2b2386cedade105
                                                                                                              • Opcode Fuzzy Hash: c55fb4e1a784324d5c4b3e7555b2ea64966d792e9b16d82899e36bc418aedae3
                                                                                                              • Instruction Fuzzy Hash: 2EC08C70D48106FEC7104F204E88A7E7A7CBA447403214D37E813B20C0C7BA0002BA2F
                                                                                                              Function 02C14BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C14BF2
                                                                                                                • Part of subcall function 02C11BA7: __EH_prolog.LIBCMT ref: 02C11BAC
                                                                                                                • Part of subcall function 02C11BA7: RtlEnterCriticalSection.NTDLL ref: 02C11BBC
                                                                                                                • Part of subcall function 02C11BA7: RtlLeaveCriticalSection.NTDLL ref: 02C11BEA
                                                                                                                • Part of subcall function 02C11BA7: RtlEnterCriticalSection.NTDLL ref: 02C11C13
                                                                                                                • Part of subcall function 02C11BA7: RtlLeaveCriticalSection.NTDLL ref: 02C11C56
                                                                                                                • Part of subcall function 02C1E02F: __EH_prolog.LIBCMT ref: 02C1E034
                                                                                                                • Part of subcall function 02C1E02F: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C1E0B3
                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 02C14CF2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 1927618982-0
                                                                                                              • Opcode ID: 60f582455b9c151d59ccddba9e3a21ee4a9f885137853b3238eae98b39844653
                                                                                                              • Instruction ID: e6fb168096fede4d61afb8336bfc741bde2558be9dba91a48e97c60edb0bffba
                                                                                                              • Opcode Fuzzy Hash: 60f582455b9c151d59ccddba9e3a21ee4a9f885137853b3238eae98b39844653
                                                                                                              • Instruction Fuzzy Hash: CC5168B1D04248DFDF15DFA8D885AEEBBB5EF09314F14816AE805AB341DB309A04EF91
                                                                                                              Function 02C4FC92 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 110stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrcat.KERNEL32(03426F7D), ref: 02C5294A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C4A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C4A000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c4a000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrcat
                                                                                                              • String ID: ++{
                                                                                                              • API String ID: 4038537762-3155876417
                                                                                                              • Opcode ID: 631d20e6b030a13884c4ffed4088c5e03c71d326d93e411c5242af7419f1c47f
                                                                                                              • Instruction ID: 2e03a8c2642b5112589893f5751bf355440702279983d6de2f2a8e64d3ad4e9b
                                                                                                              • Opcode Fuzzy Hash: 631d20e6b030a13884c4ffed4088c5e03c71d326d93e411c5242af7419f1c47f
                                                                                                              • Instruction Fuzzy Hash: 9531ADB290C214AFD7157F09DC8577AF7E8EF94320F0A092EEAD483300EA759851CB96
                                                                                                              Function 02C12D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02C12D47
                                                                                                              • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02C12D5C
                                                                                                                • Part of subcall function 02C1A440: WSAGetLastError.WS2_32(00000000,?,?,02C12A51), ref: 02C1A44E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$Send
                                                                                                              • String ID:
                                                                                                              • API String ID: 1282938840-0
                                                                                                              • Opcode ID: 4b66a1b8fc88cd14a59368181494529e01d16fb516b454da6033dc9d23ac8f89
                                                                                                              • Instruction ID: ef57fdd861236174b23f6f42e1658eca5052308be57b328596ad241a3d9aaf3f
                                                                                                              • Opcode Fuzzy Hash: 4b66a1b8fc88cd14a59368181494529e01d16fb516b454da6033dc9d23ac8f89
                                                                                                              • Instruction Fuzzy Hash: 650184B5900215EFD7206FA5C84596BBBEDFF86764B20052FEC5983300DB709D10EB62
                                                                                                              Function 0040220B Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d3902f0929868f52f6b83a53faaf5a38de1e7956c54c563d39ba77ae17a9c35b
                                                                                                              • Instruction ID: 8bfbd58a044552f4b9e8c5aa7f60dcb48bc0ac5b18c7ddd0a1e1a4d068a8d1d1
                                                                                                              • Opcode Fuzzy Hash: d3902f0929868f52f6b83a53faaf5a38de1e7956c54c563d39ba77ae17a9c35b
                                                                                                              • Instruction Fuzzy Hash: DA01D17084C101FEDB15AFA18E5CABE3724E910701331453BD803B12D1D7BC8A12A69F
                                                                                                              Function 02C18321 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02C1833E
                                                                                                              • shutdown.WS2_32(?,00000002), ref: 02C18347
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastshutdown
                                                                                                              • String ID:
                                                                                                              • API String ID: 1920494066-0
                                                                                                              • Opcode ID: 2b4ce797c00f26d372bb1cb8fa7061f5ba8103d5c6d1a5c3453143e3483cac37
                                                                                                              • Instruction ID: 11ce382df3fc27b0dce85264748a32a4e803db8dd8effcfb6a5a7ea87e53e989
                                                                                                              • Opcode Fuzzy Hash: 2b4ce797c00f26d372bb1cb8fa7061f5ba8103d5c6d1a5c3453143e3483cac37
                                                                                                              • Instruction Fuzzy Hash: 83F0BEB1A44314CFD720AF28D406B5ABBE5BF49330F548A1DEDA997380DB31AC10DBA1
                                                                                                              Function 004039F0 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HeapCreate.KERNEL32(00000000,00001000,00000000,00402DBF,00000000), ref: 00403A01
                                                                                                                • Part of subcall function 004038A8: GetVersionExA.KERNEL32 ref: 004038C7
                                                                                                              • HeapDestroy.KERNEL32 ref: 00403A40
                                                                                                                • Part of subcall function 00403DC7: HeapAlloc.KERNEL32(00000000,00000140,00403A29,000003F8), ref: 00403DD4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Heap$AllocCreateDestroyVersion
                                                                                                              • String ID:
                                                                                                              • API String ID: 2507506473-0
                                                                                                              • Opcode ID: 08f14aee262382775140a5fb38b16d88e88289f6ea168ffb6a246c9e47cbf934
                                                                                                              • Instruction ID: 5dadef9d12e489db140da5c14b34350ea54a5b880f3286d9e4ff1a1591b79aa3
                                                                                                              • Opcode Fuzzy Hash: 08f14aee262382775140a5fb38b16d88e88289f6ea168ffb6a246c9e47cbf934
                                                                                                              • Instruction Fuzzy Hash: 04F065707553016ADB24EF705E4676B3DD8AB80B53F10443BF541F41E0EB7C8690991A
                                                                                                              Function 00402159 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAlloc.KERNEL32(00000000), ref: 0040B01F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID: D*X
                                                                                                              • API String ID: 4275171209-1444360580
                                                                                                              • Opcode ID: be1b60655502a77b438630a159cfee42b780d1365d365f0ee256d249edeebfcc
                                                                                                              • Instruction ID: 674bc1e357348befb5f5fc749722f203f51b8d7df494d28343854b05007eaf87
                                                                                                              • Opcode Fuzzy Hash: be1b60655502a77b438630a159cfee42b780d1365d365f0ee256d249edeebfcc
                                                                                                              • Instruction Fuzzy Hash: 95C012319045229BC6104B51494566B3EA4EB04795F210023661777590C3340855E7DE
                                                                                                              Function 004021A8 Relevance: 3.0, APIs: 2, Instructions: 6registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseEvent
                                                                                                              • String ID:
                                                                                                              • API String ID: 2624557715-0
                                                                                                              • Opcode ID: 1d40515ab81c1b4ce9161d0b62d2b317b993b1fd18fa1490a0364b441aac4561
                                                                                                              • Instruction ID: 6f1d786c59d975fdae9e5444acb986478cecb304cabaf29a0616b0b08fc8c14e
                                                                                                              • Opcode Fuzzy Hash: 1d40515ab81c1b4ce9161d0b62d2b317b993b1fd18fa1490a0364b441aac4561
                                                                                                              • Instruction Fuzzy Hash: 20B0923144C001EFC6405BA0EF4C42A3AA9B6093013210031A307700A0C7351021EB1E
                                                                                                              Function 02C15119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C1511E
                                                                                                                • Part of subcall function 02C13D7E: htons.WS2_32(?), ref: 02C13DA2
                                                                                                                • Part of subcall function 02C13D7E: htonl.WS2_32(00000000), ref: 02C13DB9
                                                                                                                • Part of subcall function 02C13D7E: htonl.WS2_32(00000000), ref: 02C13DC0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: htonl$H_prologhtons
                                                                                                              • String ID:
                                                                                                              • API String ID: 4039807196-0
                                                                                                              • Opcode ID: 44caaa3a6c640e0f8227461684d137d7cf9b029cc7a5763c49d2f1012efb07f9
                                                                                                              • Instruction ID: 54a97ced22cb646234b169d60c8d8b9a9c165661fb16023a4170b492b0e29eca
                                                                                                              • Opcode Fuzzy Hash: 44caaa3a6c640e0f8227461684d137d7cf9b029cc7a5763c49d2f1012efb07f9
                                                                                                              • Instruction Fuzzy Hash: C28168B1D0424ECECF05DFA8D081AEEBBB5EF89314F10815AD855B7280EB365A09DF64
                                                                                                              Function 02C1E8F8 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C1E8FD
                                                                                                                • Part of subcall function 02C11A01: TlsGetValue.KERNEL32 ref: 02C11A0A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prologValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 3700342317-0
                                                                                                              • Opcode ID: 4d05dc97dc730bb5e8b4c6f3c9bccce46a35a2971e272d0d1c790011b115f584
                                                                                                              • Instruction ID: 1dc4488cd09ef3d7ef6c31d386ed213148b68f3b7ac8b95092bbe62e44f3cd24
                                                                                                              • Opcode Fuzzy Hash: 4d05dc97dc730bb5e8b4c6f3c9bccce46a35a2971e272d0d1c790011b115f584
                                                                                                              • Instruction Fuzzy Hash: 8D214FB2D04209AFDB00DF95D441AEEBBF9EF49310F14401EE919E7240D771AA01DBA1
                                                                                                              Function 02C133B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02C133CC
                                                                                                                • Part of subcall function 02C132AB: __EH_prolog.LIBCMT ref: 02C132B0
                                                                                                                • Part of subcall function 02C132AB: RtlEnterCriticalSection.NTDLL(?), ref: 02C132C3
                                                                                                                • Part of subcall function 02C132AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02C132EF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 1518410164-0
                                                                                                              • Opcode ID: 392317e5496629601777e66f2c92c612f01646f4b06ff162729e3107962d90de
                                                                                                              • Instruction ID: 68ce6deb149d0b81f78d9d2613cde0282fc0ec92f662c66dacb3be090af75060
                                                                                                              • Opcode Fuzzy Hash: 392317e5496629601777e66f2c92c612f01646f4b06ff162729e3107962d90de
                                                                                                              • Instruction Fuzzy Hash: 5C019270214606AFD708DF59D886F55FBA9FF85324F10835AE928872C0EB70E921DBA5
                                                                                                              Function 02C1E488 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C1E48D
                                                                                                                • Part of subcall function 02C126DB: RtlEnterCriticalSection.NTDLL(?), ref: 02C12706
                                                                                                                • Part of subcall function 02C126DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C1272B
                                                                                                                • Part of subcall function 02C126DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C35A93), ref: 02C12738
                                                                                                                • Part of subcall function 02C126DB: SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02C12778
                                                                                                                • Part of subcall function 02C126DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02C127D9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                              • String ID:
                                                                                                              • API String ID: 4293676635-0
                                                                                                              • Opcode ID: 662dd0af476b550b14c5c38497a04b53a738567b9313df9f30ad6367bac732cf
                                                                                                              • Instruction ID: 746e60890d62aaa2ed372ffda5482a5950da9ff2c948040ccffdf34abceb07db
                                                                                                              • Opcode Fuzzy Hash: 662dd0af476b550b14c5c38497a04b53a738567b9313df9f30ad6367bac732cf
                                                                                                              • Instruction Fuzzy Hash: A601DCF1910B189FC719CF5AC144986FBF4EF88300B15C9AE944A8B321E3B0AA40CF90
                                                                                                              Function 00402332 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CopyFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 1304948518-0
                                                                                                              • Opcode ID: 4312c6114a202acfc17eefa4afbc658a93dcc948a6679b20c1be7a6e01a81c79
                                                                                                              • Instruction ID: 55e69cf7c3205d098075f1ef4c4825cc47ed66c09711a6d4786e40eacee8f8a0
                                                                                                              • Opcode Fuzzy Hash: 4312c6114a202acfc17eefa4afbc658a93dcc948a6679b20c1be7a6e01a81c79
                                                                                                              • Instruction Fuzzy Hash: 52D0927278D115EAD55005986EAEA77624CE78839AB340833A207B61C182FE8446A1AF
                                                                                                              Function 02C1E267 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C1E26C
                                                                                                                • Part of subcall function 02C23A8F: _malloc.LIBCMT ref: 02C23AA7
                                                                                                                • Part of subcall function 02C1E488: __EH_prolog.LIBCMT ref: 02C1E48D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$_malloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 4254904621-0
                                                                                                              • Opcode ID: 6cea3ea1a07eb05d41a9c3a44ce98d9077ffdb4e15f34d9f34bbb2a920b71475
                                                                                                              • Instruction ID: 93d8e1f0d3d7cbbf2fcabb2f782471e0aeed332b959b30b32b797d6bc7b0b1d9
                                                                                                              • Opcode Fuzzy Hash: 6cea3ea1a07eb05d41a9c3a44ce98d9077ffdb4e15f34d9f34bbb2a920b71475
                                                                                                              • Instruction Fuzzy Hash: EBE0C270A00205ABDF0DDFE8E81277DB7A6EB48300F0086ADBC0CE2640DF708E00AA54
                                                                                                              Function 02C23395 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02C25B9A: __getptd_noexit.LIBCMT ref: 02C25B9B
                                                                                                                • Part of subcall function 02C25B9A: __amsg_exit.LIBCMT ref: 02C25BA8
                                                                                                                • Part of subcall function 02C233D6: __getptd_noexit.LIBCMT ref: 02C233DA
                                                                                                                • Part of subcall function 02C233D6: __freeptd.LIBCMT ref: 02C233F4
                                                                                                                • Part of subcall function 02C233D6: RtlExitUserThread.NTDLL(?,00000000,?,02C233B6,00000000), ref: 02C233FD
                                                                                                              • __XcptFilter.LIBCMT ref: 02C233C2
                                                                                                                • Part of subcall function 02C28CD4: __getptd_noexit.LIBCMT ref: 02C28CD8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                                              • String ID:
                                                                                                              • API String ID: 1405322794-0
                                                                                                              • Opcode ID: 0d48804869aebcc5fbb14bb09ca1060741533b396b7c1a83a7c68ffaf247ded4
                                                                                                              • Instruction ID: 0c8581264d52b76128aa362ecfc629fda8393930a0fe2ff1520991210a542851
                                                                                                              • Opcode Fuzzy Hash: 0d48804869aebcc5fbb14bb09ca1060741533b396b7c1a83a7c68ffaf247ded4
                                                                                                              • Instruction Fuzzy Hash: 39E0ECB5945614DFEB08FBA0D905E6E7776AF44312F200198E1029B260DFB89944AF30
                                                                                                              Function 004026D6 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ManagerOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1889721586-0
                                                                                                              • Opcode ID: 0f0cca2a6aecdbe056089abd869a91924bc3b5783ab3fdd70ed22ce2aaf3f922
                                                                                                              • Instruction ID: 3cd76435cd1bf139601aa08b14a54904b28d8d0ad8e68c1ca0bfa51a29fee9e9
                                                                                                              • Opcode Fuzzy Hash: 0f0cca2a6aecdbe056089abd869a91924bc3b5783ab3fdd70ed22ce2aaf3f922
                                                                                                              • Instruction Fuzzy Hash: 3CC01231709001DAC7104F986BEC4686298A1843567300C37D207F11D0C1BA4D06652E
                                                                                                              Function 004025C7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectory
                                                                                                              • String ID:
                                                                                                              • API String ID: 4241100979-0
                                                                                                              • Opcode ID: df666fc502ade0904578102425999ea0927b9f00e6a2c316619051f88a11ad6d
                                                                                                              • Instruction ID: 71643fb07f78fec73aeb73823573a7f75fd60fc4bda966918bfa20a3da973925
                                                                                                              • Opcode Fuzzy Hash: df666fc502ade0904578102425999ea0927b9f00e6a2c316619051f88a11ad6d
                                                                                                              • Instruction Fuzzy Hash: B4C04C301DE661BAD10252601D6D86A192858063453210073B202FA0D182FC0717A27F
                                                                                                              Function 0040B8DC Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 1029625771-0
                                                                                                              • Opcode ID: 6e5f3b25cd2b540753a641dcc8df6c5fb52c16c6b4820e0ccc2656478566ffdf
                                                                                                              • Instruction ID: a210966bc73cc5cab0eee629d8072e29fa6397a950e0fae30b08fce87dc579f3
                                                                                                              • Opcode Fuzzy Hash: 6e5f3b25cd2b540753a641dcc8df6c5fb52c16c6b4820e0ccc2656478566ffdf
                                                                                                              • Instruction Fuzzy Hash: D9C09231890151CBCB00CFA0D9981197BB1BB0A3027518A6BE862F2284DBB5A0818A8A
                                                                                                              Function 0040256B Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectory
                                                                                                              • String ID:
                                                                                                              • API String ID: 4241100979-0
                                                                                                              • Opcode ID: 78ec478338408ad1c8d86fceb78597eb6c3200674d8e50b2c1fdaa219a013c93
                                                                                                              • Instruction ID: 5ecf86d6fcc9e0072576bb314e39d51fa2a309ce43e938f39c6c16362cb17b00
                                                                                                              • Opcode Fuzzy Hash: 78ec478338408ad1c8d86fceb78597eb6c3200674d8e50b2c1fdaa219a013c93
                                                                                                              • Instruction Fuzzy Hash: ACB0123049E830F6C01157100D6CC5F182C58053893200032B303B40C002FC021292BF
                                                                                                              Function 0040B1FE Relevance: 1.5, APIs: 1, Instructions: 5registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID:
                                                                                                              • API String ID: 3535843008-0
                                                                                                              • Opcode ID: 0619af9ce46f6ba007f113b533e9913df0395168a4f8c105e8de7cd7f2abdc9e
                                                                                                              • Instruction ID: 135f214858860a95caaf656eb2adbe6d945cd54912c2b765fb7e399feef37828
                                                                                                              • Opcode Fuzzy Hash: 0619af9ce46f6ba007f113b533e9913df0395168a4f8c105e8de7cd7f2abdc9e
                                                                                                              • Instruction Fuzzy Hash: E5A01230C95000B7C7021740DE0885CBE646E083003300171B202300F082B610105B19
                                                                                                              Function 02C220A0 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02C21550: OpenEventA.KERNEL32(00100002,00000000,00000000,E0B1A480), ref: 02C215F0
                                                                                                                • Part of subcall function 02C21550: CloseHandle.KERNEL32(00000000), ref: 02C21605
                                                                                                                • Part of subcall function 02C21550: ResetEvent.KERNEL32(00000000,E0B1A480), ref: 02C2160F
                                                                                                                • Part of subcall function 02C21550: CloseHandle.KERNEL32(00000000,E0B1A480), ref: 02C21644
                                                                                                              • TlsSetValue.KERNEL32(0000002C,?), ref: 02C220EA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseEventHandle$OpenResetValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 1556185888-0
                                                                                                              • Opcode ID: cce70325ddae1282027c74df3afa084285312dc903c0637259f33e432466fd8e
                                                                                                              • Instruction ID: 2d62464f0256606d581e6c5785f3a5b67024807097d4e11fe1288546e837bca4
                                                                                                              • Opcode Fuzzy Hash: cce70325ddae1282027c74df3afa084285312dc903c0637259f33e432466fd8e
                                                                                                              • Instruction Fuzzy Hash: 45018F71A44254ABD710CF58DC45B5ABBBCEB05670F104B6AE829D3280DB7169148AA4
                                                                                                              Function 0040B4BC Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00401F64: FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                                                                • Part of subcall function 00401F64: GetLastError.KERNEL32 ref: 00401F86
                                                                                                                • Part of subcall function 00401F64: SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                                              • Sleep.KERNEL32(000007D0,?,0029226D), ref: 0040B801
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$ErrorFindLastSizeofSleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 2659282285-0
                                                                                                              • Opcode ID: a30d2dc63f565f5f77289b332b500a051927e9fec619ad8cc045ff4e98d544ad
                                                                                                              • Instruction ID: 039b88a8dcf10f9c244d64d6b241b3a1228976f9836f64239fed7cb20f37302f
                                                                                                              • Opcode Fuzzy Hash: a30d2dc63f565f5f77289b332b500a051927e9fec619ad8cc045ff4e98d544ad
                                                                                                              • Instruction Fuzzy Hash: 39D05E3265C202CAD20C221034197341161F748B51F34003FF10B7A1D18EBE0402628F
                                                                                                              Function 0040B7AE Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(000007D0,?,0029226D), ref: 0040B801
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: 71ed06270a55f957fb0ae97acaf2e41d6db21340e7040e3977e60c44980708ad
                                                                                                              • Instruction ID: 529134bb4be7d436e77b599dc39e4bb55d0dc1ab89edbbba415f2bcaffe7b413
                                                                                                              • Opcode Fuzzy Hash: 71ed06270a55f957fb0ae97acaf2e41d6db21340e7040e3977e60c44980708ad
                                                                                                              • Instruction Fuzzy Hash: B5D05EB6948206EAEA002B106A457683124FB08315F642433FA07B61D6DB795442D6DE
                                                                                                              Function 00402277 Relevance: 1.3, APIs: 1, Instructions: 14stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrcmpi
                                                                                                              • String ID:
                                                                                                              • API String ID: 1586166983-0
                                                                                                              • Opcode ID: afc060a1dc9f2c09d52ddf769f7b78e1d9a5007ca048432da7c9afa9c24ed8d5
                                                                                                              • Instruction ID: 0e5a9f3835fceab65f8161c2ac0e78c46e2dcfbafadd64f81733265e883a368e
                                                                                                              • Opcode Fuzzy Hash: afc060a1dc9f2c09d52ddf769f7b78e1d9a5007ca048432da7c9afa9c24ed8d5
                                                                                                              • Instruction Fuzzy Hash: 64D01270D06519EED7106F714A6C2AF7664E914755730487FD813F11C0D7BC41116A6D
                                                                                                              Function 0040218F Relevance: 1.3, APIs: 1, Instructions: 10sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: 9c80ea6232b6eb2ca8ec1a064af6b754d7b368a06d3accd401c5647994c6c113
                                                                                                              • Instruction ID: 4dd6e061a2ed90917861212372999b9d1b5613fcf30d17e99f345e0966a7defc
                                                                                                              • Opcode Fuzzy Hash: 9c80ea6232b6eb2ca8ec1a064af6b754d7b368a06d3accd401c5647994c6c113
                                                                                                              • Instruction Fuzzy Hash: 5EC04C75989601A7C2013AA16E45BB4B624E70D319F2450366607304E197796126A6DF
                                                                                                              Function 0040B5D9 Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(000007D0,?,0029226D), ref: 0040B801
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: 94d9deb5d794199e98e93e1f5b18ef859441c1898a632bacdd8ea4d66eb887a1
                                                                                                              • Instruction ID: 5785da175a53eedf82b78341746dfd2aafd78d5412f9d825c06b865f4fdbab56
                                                                                                              • Opcode Fuzzy Hash: 94d9deb5d794199e98e93e1f5b18ef859441c1898a632bacdd8ea4d66eb887a1
                                                                                                              • Instruction Fuzzy Hash: 07C09271998602EAD24427507A49B343230FB44B42FB4113BB603764E28BBE0403BADF

                                                                                                              Non-executed Functions

                                                                                                              Function 0040270C Relevance: 4.5, APIs: 3, Instructions: 13serviceCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateServiceA.ADVAPI32 ref: 0040270C
                                                                                                              • CloseServiceHandle.ADVAPI32(?), ref: 0040B411
                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 0040B86E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Service$CloseHandle$Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2095555506-0
                                                                                                              • Opcode ID: 8282fb0c9cfcdb19bba24561d8ecf29e5b81246dde775ad19adb4ef11915ab64
                                                                                                              • Instruction ID: e72162baefc81ba72820ea022bb1d37a2cc7e083464921caf7f039fb4e03aedc
                                                                                                              • Opcode Fuzzy Hash: 8282fb0c9cfcdb19bba24561d8ecf29e5b81246dde775ad19adb4ef11915ab64
                                                                                                              • Instruction Fuzzy Hash: E3D0C731844015EBCF159FA15F4841D7A35E7403417224472E103761E1C73A5F26BEAE
                                                                                                              Function 02C208B8 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02C208E2
                                                                                                              • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02C208EA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFormatLastMessage
                                                                                                              • String ID:
                                                                                                              • API String ID: 3479602957-0
                                                                                                              • Opcode ID: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                                                                              • Instruction ID: 1bc761f3d3e1c33e686e0404063f5184cda049d4b250cdb0f7755023f44ad0c0
                                                                                                              • Opcode Fuzzy Hash: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                                                                              • Instruction Fuzzy Hash: F4F03030208341DFEB14DE25C851B2EB7E4ABED754F50092DF596A2191D770D245CB56
                                                                                                              Function 02C29468 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02C24DD6,?,?,?,00000001), ref: 02C2946D
                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02C29476
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                              • String ID:
                                                                                                              • API String ID: 3192549508-0
                                                                                                              • Opcode ID: 084f8f28a2a79e72ec59c6696c11fcb700bdcc4a6b981266b2114244e2527bb0
                                                                                                              • Instruction ID: d5e81a8eb45caca88829d089e9b5e9f783b036c33855e5a69ea201a6b23ae8a0
                                                                                                              • Opcode Fuzzy Hash: 084f8f28a2a79e72ec59c6696c11fcb700bdcc4a6b981266b2114244e2527bb0
                                                                                                              • Instruction Fuzzy Hash: 69B0927548420CEBCB012B92EC0DB89BF68EB04662F004D10F60E440508B7254249AE1
                                                                                                              Function 0040254E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040B728
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CtrlDispatcherServiceStart
                                                                                                              • String ID:
                                                                                                              • API String ID: 3789849863-0
                                                                                                              • Opcode ID: deec43b8dcc897605fa050e878db13adb1085b9c2442af474a0c99484f8a22c2
                                                                                                              • Instruction ID: 2c378dae27369dad1c58bd9ba8a5e02095a08d98542137ac852fb368b363cb6f
                                                                                                              • Opcode Fuzzy Hash: deec43b8dcc897605fa050e878db13adb1085b9c2442af474a0c99484f8a22c2
                                                                                                              • Instruction Fuzzy Hash: 32D0A7B504C2C2DFC306876404088793F38784A25130606D3C0835A297D339415A83B7
                                                                                                              Function 02C1F792 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                                              • Instruction ID: 3b6a9ca16b06b5dd4511884f96d7af7dafe91acb45f02e32af86de53a8271ced
                                                                                                              • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                                              • Instruction Fuzzy Hash: 7BF082B1904309ABD714DF95D942B9DFBB9EB45310F208169D508A7340E6707A159F94
                                                                                                              Function 02C124E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C124E6
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02C124FC
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C1250E
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C1256D
                                                                                                              • SetLastError.KERNEL32(00000000,?,74DEDFB0), ref: 02C1257F
                                                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,74DEDFB0), ref: 02C12599
                                                                                                              • GetLastError.KERNEL32(?,74DEDFB0), ref: 02C125A2
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C125F0
                                                                                                              • InterlockedDecrement.KERNEL32(00000002), ref: 02C1262F
                                                                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02C1268E
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C12699
                                                                                                              • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02C126AD
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,74DEDFB0), ref: 02C126BD
                                                                                                              • GetLastError.KERNEL32(?,74DEDFB0), ref: 02C126C7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                                              • String ID:
                                                                                                              • API String ID: 1213838671-0
                                                                                                              • Opcode ID: 9d2b9ca87329852d0171fe5cb11215857f78be0aef34ee1f63c3424212efae6d
                                                                                                              • Instruction ID: 1cb6e33980b1c7bdb788b14d6455fe40ffc8c5ea97eeee6def7b91ab721adfaa
                                                                                                              • Opcode Fuzzy Hash: 9d2b9ca87329852d0171fe5cb11215857f78be0aef34ee1f63c3424212efae6d
                                                                                                              • Instruction Fuzzy Hash: D56171B5D00219EFCB11DFA4D585AAEFBB9FF49310F10496AE916E3240D7309A08DFA1
                                                                                                              Function 02C14603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C14608
                                                                                                                • Part of subcall function 02C23A8F: _malloc.LIBCMT ref: 02C23AA7
                                                                                                              • htons.WS2_32(?), ref: 02C14669
                                                                                                              • htonl.WS2_32(?), ref: 02C1468C
                                                                                                              • htonl.WS2_32(00000000), ref: 02C14693
                                                                                                              • htons.WS2_32(00000000), ref: 02C14747
                                                                                                              • _sprintf.LIBCMT ref: 02C1475D
                                                                                                                • Part of subcall function 02C188C3: _memmove.LIBCMT ref: 02C188E3
                                                                                                              • htons.WS2_32(?), ref: 02C146B0
                                                                                                                • Part of subcall function 02C1966E: __EH_prolog.LIBCMT ref: 02C19673
                                                                                                                • Part of subcall function 02C1966E: RtlEnterCriticalSection.NTDLL(00000020), ref: 02C196EE
                                                                                                                • Part of subcall function 02C1966E: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C1970C
                                                                                                                • Part of subcall function 02C11BA7: __EH_prolog.LIBCMT ref: 02C11BAC
                                                                                                                • Part of subcall function 02C11BA7: RtlEnterCriticalSection.NTDLL ref: 02C11BBC
                                                                                                                • Part of subcall function 02C11BA7: RtlLeaveCriticalSection.NTDLL ref: 02C11BEA
                                                                                                                • Part of subcall function 02C11BA7: RtlEnterCriticalSection.NTDLL ref: 02C11C13
                                                                                                                • Part of subcall function 02C11BA7: RtlLeaveCriticalSection.NTDLL ref: 02C11C56
                                                                                                                • Part of subcall function 02C1DE2A: __EH_prolog.LIBCMT ref: 02C1DE2F
                                                                                                              • htonl.WS2_32(?), ref: 02C1497C
                                                                                                              • htonl.WS2_32(00000000), ref: 02C14983
                                                                                                              • htonl.WS2_32(00000000), ref: 02C149C8
                                                                                                              • htonl.WS2_32(00000000), ref: 02C149CF
                                                                                                              • htons.WS2_32(?), ref: 02C149EF
                                                                                                              • htons.WS2_32(?), ref: 02C149F9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 1645262487-0
                                                                                                              • Opcode ID: 2e0ebad878a31a42c190bff27d5f0b844f3fd358e36364c18df52528fc5dee0c
                                                                                                              • Instruction ID: f9a77b6ca72d4a690dd3a80c36fa57fe1bb7f345f24da71908727c6b583e7d1f
                                                                                                              • Opcode Fuzzy Hash: 2e0ebad878a31a42c190bff27d5f0b844f3fd358e36364c18df52528fc5dee0c
                                                                                                              • Instruction Fuzzy Hash: 63029C71C00259EFEF15DFA4C846BEEBBB9AF0A304F10455AE505B7280DB745A48EFA1
                                                                                                              Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(Eclipse IO Library 9.27.43,Function_0000235E), ref: 004023C1
                                                                                                              • SetServiceStatus.ADVAPI32(0040A0E0), ref: 00402420
                                                                                                              • GetLastError.KERNEL32 ref: 00402422
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                                                              • GetLastError.KERNEL32 ref: 00402450
                                                                                                              • SetServiceStatus.ADVAPI32(0040A0E0), ref: 00402480
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                                                              • CloseHandle.KERNEL32 ref: 004024A1
                                                                                                              • SetServiceStatus.ADVAPI32(0040A0E0), ref: 004024CA
                                                                                                              Strings
                                                                                                              • Eclipse IO Library 9.27.43, xrefs: 004023BC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                                              • String ID: Eclipse IO Library 9.27.43
                                                                                                              • API String ID: 3346042915-2124222407
                                                                                                              • Opcode ID: 753c8bccf627cb5353d4a294398c8736193124083ae435b11ee25f47cab8285e
                                                                                                              • Instruction ID: 1420ef795783f2c616889eaeaacfbb85f42c25b2a6fdf7f0143c9c805b11b94c
                                                                                                              • Opcode Fuzzy Hash: 753c8bccf627cb5353d4a294398c8736193124083ae435b11ee25f47cab8285e
                                                                                                              • Instruction Fuzzy Hash: D4210C70441309EBD210DF16EF49E567FB8EB85754711C03BE206B22B0D7BA0064EB6E
                                                                                                              Function 02C28272 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlDecodePointer.NTDLL(?), ref: 02C2827A
                                                                                                              • _free.LIBCMT ref: 02C28293
                                                                                                                • Part of subcall function 02C22EB4: HeapFree.KERNEL32(00000000,00000000,?,02C25C12,00000000,00000104,74DF0A60), ref: 02C22EC8
                                                                                                                • Part of subcall function 02C22EB4: GetLastError.KERNEL32(00000000,?,02C25C12,00000000,00000104,74DF0A60), ref: 02C22EDA
                                                                                                              • _free.LIBCMT ref: 02C282A6
                                                                                                              • _free.LIBCMT ref: 02C282C4
                                                                                                              • _free.LIBCMT ref: 02C282D6
                                                                                                              • _free.LIBCMT ref: 02C282E7
                                                                                                              • _free.LIBCMT ref: 02C282F2
                                                                                                              • _free.LIBCMT ref: 02C28316
                                                                                                              • RtlEncodePointer.NTDLL(00A5CF58), ref: 02C2831D
                                                                                                              • _free.LIBCMT ref: 02C28332
                                                                                                              • _free.LIBCMT ref: 02C28348
                                                                                                              • _free.LIBCMT ref: 02C28370
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 3064303923-0
                                                                                                              • Opcode ID: e2ad7949e96aac3a845ccca1927aae3562dfc9d34a34365f80693b7c1a00e876
                                                                                                              • Instruction ID: b61bd00d483985ed1a46d534492e1417ebabd0eef4108ef3565b5353f1a18858
                                                                                                              • Opcode Fuzzy Hash: e2ad7949e96aac3a845ccca1927aae3562dfc9d34a34365f80693b7c1a00e876
                                                                                                              • Instruction Fuzzy Hash: 3621E47AC416708BDB259F14E84070777E9BF967213290B2ADC0457244CF34AD18EFA5
                                                                                                              Function 0040359E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035B9
                                                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035CD
                                                                                                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 004035F9
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402DE4), ref: 00403631
                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402DE4), ref: 00403653
                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402DE4), ref: 0040366C
                                                                                                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402DE4), ref: 0040367F
                                                                                                              • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004036BD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                                              • String ID: -@
                                                                                                              • API String ID: 1823725401-2999422947
                                                                                                              • Opcode ID: d09c44be7b725e9416f1bbabc7ff939c5033ef1a694eb4ed66286c613d9d8241
                                                                                                              • Instruction ID: a052efc5f8264b04540ba139265ff63877c4dc4e75c0ae38b6650f7b3518fcca
                                                                                                              • Opcode Fuzzy Hash: d09c44be7b725e9416f1bbabc7ff939c5033ef1a694eb4ed66286c613d9d8241
                                                                                                              • Instruction Fuzzy Hash: 7A31F0B24042217EDB303F785C8883B7E9CE64574A7120D3BF542E3390E67A8E814AAD
                                                                                                              Function 02C13423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C13428
                                                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02C1346B
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02C13472
                                                                                                              • GetLastError.KERNEL32 ref: 02C13486
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02C134D7
                                                                                                              • RtlEnterCriticalSection.NTDLL(00000018), ref: 02C134ED
                                                                                                              • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02C13518
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                                              • String ID: CancelIoEx$KERNEL32
                                                                                                              • API String ID: 2902213904-434325024
                                                                                                              • Opcode ID: 86602d6c67dbfa0669c0582df4589236e84a287f79610068c099490ea66c4c35
                                                                                                              • Instruction ID: ff4edd8c83a9dae74a23986f0fc2d721b22015813a9842c8919a43f23875206c
                                                                                                              • Opcode Fuzzy Hash: 86602d6c67dbfa0669c0582df4589236e84a287f79610068c099490ea66c4c35
                                                                                                              • Instruction Fuzzy Hash: CB317EB1900255DFDB019F64C845BAABBF9FF8A315F0049AAE81A9B340CB70D915DFA1
                                                                                                              Function 00405408 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403D7D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406528,?,00406578,?,?,?,Runtime Error!Program: ), ref: 0040541A
                                                                                                              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405432
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405443
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00405450
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                                              • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xe@
                                                                                                              • API String ID: 2238633743-4073082454
                                                                                                              • Opcode ID: c1c5459b902c6d691e26e6f6b3d5bc075fbf46770f4929c54e66e674ea662e67
                                                                                                              • Instruction ID: 002c49bf34bfddc632f277928187d9a53126bd14f393e8a72b926efab3457658
                                                                                                              • Opcode Fuzzy Hash: c1c5459b902c6d691e26e6f6b3d5bc075fbf46770f4929c54e66e674ea662e67
                                                                                                              • Instruction Fuzzy Hash: E1018431740705AFC7109FB4AD80E6B7AE9FB48791309843BB955F22A1D778C860CF69
                                                                                                              Function 00403C59 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403CC6
                                                                                                              • GetStdHandle.KERNEL32(000000F4,00406528,00000000,?,00000000,00000000), ref: 00403D9C
                                                                                                              • WriteFile.KERNEL32(00000000), ref: 00403DA3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$HandleModuleNameWrite
                                                                                                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $r@
                                                                                                              • API String ID: 3784150691-1191147370
                                                                                                              • Opcode ID: d598713df4d839de7fd74915155ccdeaa4efa499b3dc35e679589c6eb5dc5418
                                                                                                              • Instruction ID: 901e413bd7d296cb1b0b97d790854a8d5494ec17f79a926850544caa0371b074
                                                                                                              • Opcode Fuzzy Hash: d598713df4d839de7fd74915155ccdeaa4efa499b3dc35e679589c6eb5dc5418
                                                                                                              • Instruction Fuzzy Hash: F831C772A04208AEEF20EF60DE49F9A776CEF45304F1004BBF545F61C1D6B8AA858A59
                                                                                                              Function 004058D5 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LCMapStringW.KERNEL32(00000000,00000100,004065F4,00000001,00000000,00000000,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 00405917
                                                                                                              • LCMapStringA.KERNEL32(00000000,00000100,004065F0,00000001,00000000,00000000,?,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405933
                                                                                                              • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,004051A5,?,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 0040597C
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,004051A5,00200020,00000000,?,00000000,00000000), ref: 004059B4
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405A0C
                                                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405A22
                                                                                                              • LCMapStringW.KERNEL32(00000000,?,004051A5,00000000,004051A5,?,?,004051A5,00200020,00000000,?,00000000), ref: 00405A55
                                                                                                              • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,004051A5,00200020,00000000,?,00000000), ref: 00405ABD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: String$ByteCharMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 352835431-0
                                                                                                              • Opcode ID: 6e7e0904aad4ffb7df7fa70090622cd283316a6a4d1fe7c3c07164d91eefa06b
                                                                                                              • Instruction ID: ad677ee5f46337090c489763c5b1535e0d4a7e7cc2f37d679e5ddd81b555dfe6
                                                                                                              • Opcode Fuzzy Hash: 6e7e0904aad4ffb7df7fa70090622cd283316a6a4d1fe7c3c07164d91eefa06b
                                                                                                              • Instruction Fuzzy Hash: 8B516C71A00609EFCF218FA5DD85A9F7FB5FB48750F14422AF911B21A0D3398921DF69
                                                                                                              Function 02C21550 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,E0B1A480), ref: 02C215F0
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C21605
                                                                                                              • ResetEvent.KERNEL32(00000000,E0B1A480), ref: 02C2160F
                                                                                                              • CloseHandle.KERNEL32(00000000,E0B1A480), ref: 02C21644
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,E0B1A480), ref: 02C216BA
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C216CF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseEventHandle$CreateOpenReset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1285874450-0
                                                                                                              • Opcode ID: a4a66a4f468e25369c7ef64284e45cd60a45f897eb6adf6665ab73c0a8c7553f
                                                                                                              • Instruction ID: 1b040f22a5d2fdb3049e402ea840fb4df87c45494a49ceb3c2ee0fa2cb8a2189
                                                                                                              • Opcode Fuzzy Hash: a4a66a4f468e25369c7ef64284e45cd60a45f897eb6adf6665ab73c0a8c7553f
                                                                                                              • Instruction Fuzzy Hash: 0F413175D04368AFDF20CFA5C844B9DBBB8FF45724F184619E419EB281DBB09A09CB91
                                                                                                              Function 02C12081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C120AC
                                                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02C120CD
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C120D8
                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02C1213E
                                                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02C1217A
                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02C12187
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C121A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                                              • String ID:
                                                                                                              • API String ID: 1171374749-0
                                                                                                              • Opcode ID: 34e601f6f83d3e94d5afece93c08d7dbd1ac70bd5767c995d63cfc0309aef66e
                                                                                                              • Instruction ID: 54366f579666f493711d330605a93973e61cc48d010a0d40160bbf9f1b1e8669
                                                                                                              • Opcode Fuzzy Hash: 34e601f6f83d3e94d5afece93c08d7dbd1ac70bd5767c995d63cfc0309aef66e
                                                                                                              • Instruction Fuzzy Hash: 9D4159B55047059FC321DF25D885A6BBBF9FFC9654F100A1EF89A82250D730E909EFA2
                                                                                                              Function 02C21662 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02C21E10: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02C2166E,?,?), ref: 02C21E3F
                                                                                                                • Part of subcall function 02C21E10: CloseHandle.KERNEL32(00000000,?,?,02C2166E,?,?), ref: 02C21E54
                                                                                                                • Part of subcall function 02C21E10: SetEvent.KERNEL32(00000000,02C2166E,?,?), ref: 02C21E67
                                                                                                              • OpenEventA.KERNEL32(00100002,00000000,00000000,E0B1A480), ref: 02C215F0
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C21605
                                                                                                              • ResetEvent.KERNEL32(00000000,E0B1A480), ref: 02C2160F
                                                                                                              • CloseHandle.KERNEL32(00000000,E0B1A480), ref: 02C21644
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 02C21675
                                                                                                                • Part of subcall function 02C2449A: RaiseException.KERNEL32(?,?,02C1FA96,?,?,?,?,?,?,?,02C1FA96,?,02C40F78,?), ref: 02C244EF
                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,E0B1A480), ref: 02C216BA
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C216CF
                                                                                                                • Part of subcall function 02C21B50: GetCurrentProcessId.KERNEL32(?), ref: 02C21BA9
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,E0B1A480), ref: 02C216DF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 2227236058-0
                                                                                                              • Opcode ID: 7f961740410f78bbd4b787bfa63ee56f47d6f87223a3dd68642cd53e3b93962a
                                                                                                              • Instruction ID: 1afa83828fe750cb7733bf387e8f092a0ef8eccaf81acef794b98b4276a7e871
                                                                                                              • Opcode Fuzzy Hash: 7f961740410f78bbd4b787bfa63ee56f47d6f87223a3dd68642cd53e3b93962a
                                                                                                              • Instruction Fuzzy Hash: 4D317275D003689BDF20CBE4CC44BADB7B9EF45715F1C0119E81DEB281DBB09A098B51
                                                                                                              Function 00404618 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 102memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403A36), ref: 00404639
                                                                                                              • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403A36), ref: 0040465D
                                                                                                              • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403A36), ref: 00404677
                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403A36), ref: 00404738
                                                                                                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403A36), ref: 0040474F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual$FreeHeap
                                                                                                              • String ID: r@$r@
                                                                                                              • API String ID: 714016831-1712950306
                                                                                                              • Opcode ID: 6146d640eca2786615fae02a601f05dd2cfcbd8d5d5bc8993479f9a7be96b628
                                                                                                              • Instruction ID: 6d2ae56a8b2e66d9b660bb9c1c671dd7469dd609f739855ae4ec176a3c74651c
                                                                                                              • Opcode Fuzzy Hash: 6146d640eca2786615fae02a601f05dd2cfcbd8d5d5bc8993479f9a7be96b628
                                                                                                              • Instruction Fuzzy Hash: 3531BEB0940702ABD3309F24DD44B66B7A4EB86755F11463BF265BB2D0E7B8A8418B4D
                                                                                                              Function 02C25CD4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __init_pointers.LIBCMT ref: 02C25CD4
                                                                                                                • Part of subcall function 02C28442: RtlEncodePointer.NTDLL(00000000), ref: 02C28445
                                                                                                                • Part of subcall function 02C28442: __initp_misc_winsig.LIBCMT ref: 02C28460
                                                                                                                • Part of subcall function 02C28442: GetModuleHandleW.KERNEL32(kernel32.dll,?,02C41578,00000008,00000003,02C40F5C,?,00000001), ref: 02C291C1
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02C291D5
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02C291E8
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02C291FB
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02C2920E
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02C29221
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02C29234
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02C29247
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02C2925A
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02C2926D
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02C29280
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02C29293
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02C292A6
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02C292B9
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02C292CC
                                                                                                                • Part of subcall function 02C28442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02C292DF
                                                                                                              • __mtinitlocks.LIBCMT ref: 02C25CD9
                                                                                                              • __mtterm.LIBCMT ref: 02C25CE2
                                                                                                                • Part of subcall function 02C25D4A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02C28878
                                                                                                                • Part of subcall function 02C25D4A: _free.LIBCMT ref: 02C2887F
                                                                                                                • Part of subcall function 02C25D4A: RtlDeleteCriticalSection.NTDLL(02C43978), ref: 02C288A1
                                                                                                              • __calloc_crt.LIBCMT ref: 02C25D07
                                                                                                              • __initptd.LIBCMT ref: 02C25D29
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 02C25D30
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 3567560977-0
                                                                                                              • Opcode ID: 803e0a14ef8975f98b0369ca47d8b291d23fba1c0bd4ef2b17d6fdc0daee0d4c
                                                                                                              • Instruction ID: f79b7400f8f547e0c24a52cc27ec4457f292a3a85e041be706743f075a18cca1
                                                                                                              • Opcode Fuzzy Hash: 803e0a14ef8975f98b0369ca47d8b291d23fba1c0bd4ef2b17d6fdc0daee0d4c
                                                                                                              • Instruction Fuzzy Hash: EEF024325587311EF22C3AB57D0A34B2786DF417B0F700B19E450DA0C4FF61880CA961
                                                                                                              Function 02C23404 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02C233B6,00000000), ref: 02C2341E
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02C23425
                                                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02C23431
                                                                                                              • RtlDecodePointer.NTDLL(00000001), ref: 02C2344E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                              • String ID: RoInitialize$combase.dll
                                                                                                              • API String ID: 3489934621-340411864
                                                                                                              • Opcode ID: 0ca9af438dec127187246090067eaf7feb821e91d69ef97f5e72478f3c148ebc
                                                                                                              • Instruction ID: 7b74ec44019dcb4c95444bc28346a333f1d1f0ce06c198b03016e98dfa1b001c
                                                                                                              • Opcode Fuzzy Hash: 0ca9af438dec127187246090067eaf7feb821e91d69ef97f5e72478f3c148ebc
                                                                                                              • Instruction Fuzzy Hash: DAE012F5DD0340ABEB215F70DC89B063AA9A742747F604FA0B506D6184CBB961A88F54
                                                                                                              Function 02C234D9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02C233F3), ref: 02C234F3
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 02C234FA
                                                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02C23505
                                                                                                              • RtlDecodePointer.NTDLL(02C233F3), ref: 02C23520
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                              • String ID: RoUninitialize$combase.dll
                                                                                                              • API String ID: 3489934621-2819208100
                                                                                                              • Opcode ID: 02f3b97e8d7738ef88bac0a74650fd74285e1aa2d0127fa5d8d99480e7d77006
                                                                                                              • Instruction ID: 66733c4eccd7169f2e4e0116ee54f41e92bde65ca596c4e276bc47b016a9ad10
                                                                                                              • Opcode Fuzzy Hash: 02f3b97e8d7738ef88bac0a74650fd74285e1aa2d0127fa5d8d99480e7d77006
                                                                                                              • Instruction Fuzzy Hash: 8EE0BFB5DD0304ABEB315F70AC0DB0676EDB746706F200E64F54AE1148CBBC61288A98
                                                                                                              Function 02C21E70 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • TlsGetValue.KERNEL32(0000002C,E0B1A480,?,?,?,?,00000000,02C369F8,000000FF,02C2210A), ref: 02C21EAA
                                                                                                              • TlsSetValue.KERNEL32(0000002C,02C2210A,?,?,00000000), ref: 02C21F17
                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02C21F41
                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02C21F44
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: HeapValue$FreeProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1812714009-0
                                                                                                              • Opcode ID: d04e8ba02f6ae3e065cfe080152611185c460f39106f4236ff9145524558e616
                                                                                                              • Instruction ID: f5e1ce8238a6c0f56bd5fb0715b9c0e3800636a2fb13b6d1bd2985c03476e68f
                                                                                                              • Opcode Fuzzy Hash: d04e8ba02f6ae3e065cfe080152611185c460f39106f4236ff9145524558e616
                                                                                                              • Instruction Fuzzy Hash: 0C51E5759043689FD720CF29C848B16BBE4FF85764F094658F86D97282DBB1ED08CB91
                                                                                                              Function 02C355C0 Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _ValidateScopeTableHandlers.LIBCMT ref: 02C356D0
                                                                                                              • __FindPESection.LIBCMT ref: 02C356EA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FindHandlersScopeSectionTableValidate
                                                                                                              • String ID:
                                                                                                              • API String ID: 876702719-0
                                                                                                              • Opcode ID: 9c91b7832692aec50fd99dbb7051f8a21b988fafc3e6cc1cfbc1f2bea30f256a
                                                                                                              • Instruction ID: aad25b870c2e3b7a41c1aecb0657d8fb0a7a9332b63b00bf426625f13d3b3425
                                                                                                              • Opcode Fuzzy Hash: 9c91b7832692aec50fd99dbb7051f8a21b988fafc3e6cc1cfbc1f2bea30f256a
                                                                                                              • Instruction Fuzzy Hash: BCA1BFB5A40615CFCB26CF18C9807AEB7F5FB893A8F944A69DC05A7341E731E905CB90
                                                                                                              Function 00405B24 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetStringTypeW.KERNEL32(00000001,004065F4,00000001,00000000,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405B63
                                                                                                              • GetStringTypeA.KERNEL32(00000000,00000001,004065F0,00000001,?,?,00000000,00000000,00000001), ref: 00405B7D
                                                                                                              • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BB1
                                                                                                              • MultiByteToWideChar.KERNEL32(004051A5,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,004051A5,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BE9
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405C3F
                                                                                                              • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405C51
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: StringType$ByteCharMultiWide
                                                                                                              • String ID:
                                                                                                              • API String ID: 3852931651-0
                                                                                                              • Opcode ID: d4209c6b3d3c9ca3d0b98124627720af5477d93fa3c81dc5f6dd6a722f71754a
                                                                                                              • Instruction ID: b73683cf29d179dc30ac0dacbc12c8afa3e963ef4805c6be7b54428ebd0f8a91
                                                                                                              • Opcode Fuzzy Hash: d4209c6b3d3c9ca3d0b98124627720af5477d93fa3c81dc5f6dd6a722f71754a
                                                                                                              • Instruction Fuzzy Hash: 1E417B71500609EFDF219F94DD86AAF7F79EB05750F10443AFA12B6290C339A960CBA9
                                                                                                              Function 02C11C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C11CB1
                                                                                                              • CloseHandle.KERNEL32(?), ref: 02C11CBA
                                                                                                              • InterlockedExchangeAdd.KERNEL32(02C47244,00000000), ref: 02C11CC6
                                                                                                              • TerminateThread.KERNEL32(?,00000000), ref: 02C11CD4
                                                                                                              • QueueUserAPC.KERNEL32(02C11E7C,?,00000000), ref: 02C11CE1
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C11CEC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 1946104331-0
                                                                                                              • Opcode ID: 1586c007bb94e5d49b539ffd927a15adc15edc46ec2b3058b91c735e368da478
                                                                                                              • Instruction ID: 78bede70230544f450055eb73251e3f58f8026917dbc88a78a887d9e254fcff6
                                                                                                              • Opcode Fuzzy Hash: 1586c007bb94e5d49b539ffd927a15adc15edc46ec2b3058b91c735e368da478
                                                                                                              • Instruction Fuzzy Hash: BFF0A471540614BFDB204B96DD0EE57FFBCEB85720B004B5DF62A82190DBB09914DBA0
                                                                                                              Function 004038A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetVersionExA.KERNEL32 ref: 004038C7
                                                                                                              • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004038FC
                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040395C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                                              • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                                              • API String ID: 1385375860-4131005785
                                                                                                              • Opcode ID: 476567a857e94c6b60ab0a2bb3643b3ab9519d2bf8b3118ed803bebf3e2b5968
                                                                                                              • Instruction ID: dfbe321087950a958f1f5ebe55e663b38e75b845a74228cdfb1d658b51cb0ff2
                                                                                                              • Opcode Fuzzy Hash: 476567a857e94c6b60ab0a2bb3643b3ab9519d2bf8b3118ed803bebf3e2b5968
                                                                                                              • Instruction Fuzzy Hash: A53127B29052446DEB319A705C46BDF3F6C9B02305F2400FBD185F52C2D2B99F85CB18
                                                                                                              Function 02C21870 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::exception::exception.LIBCMT ref: 02C218BF
                                                                                                                • Part of subcall function 02C22413: std::exception::_Copy_str.LIBCMT ref: 02C2242C
                                                                                                                • Part of subcall function 02C20C90: __CxxThrowException@8.LIBCMT ref: 02C20CEE
                                                                                                              • std::exception::exception.LIBCMT ref: 02C2191E
                                                                                                              Strings
                                                                                                              • boost unique_lock owns already the mutex, xrefs: 02C2190D
                                                                                                              • $, xrefs: 02C21923
                                                                                                              • boost unique_lock has no mutex, xrefs: 02C218AE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                                              • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                                              • API String ID: 2140441600-46888669
                                                                                                              • Opcode ID: 69786198d8599f62fd5656e7389b361a332c67a0a61319d7156203be9ed42e60
                                                                                                              • Instruction ID: 861e9b58d8f026bff72de292f174c83bbe7fdb441a59f83c9d6d4c662866ade3
                                                                                                              • Opcode Fuzzy Hash: 69786198d8599f62fd5656e7389b361a332c67a0a61319d7156203be9ed42e60
                                                                                                              • Instruction Fuzzy Hash: FD2146B15087909FD720DF24C44475BBBE9BF88708F504E1EF4A587280DBB69908DF82
                                                                                                              Function 02C12341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C12350
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C12360
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C12370
                                                                                                              • GetLastError.KERNEL32 ref: 02C1237A
                                                                                                                • Part of subcall function 02C11712: __EH_prolog.LIBCMT ref: 02C11717
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                              • String ID: pqcs
                                                                                                              • API String ID: 1619523792-2559862021
                                                                                                              • Opcode ID: 293002a5ff5e1be2de130565c3007ac1e196aa1b6d7f7c6bc039f33df5dd78b1
                                                                                                              • Instruction ID: 9c014c60d793326bb06f10fabaccf0bf44fd90e0bd96d52a3b784221ca937146
                                                                                                              • Opcode Fuzzy Hash: 293002a5ff5e1be2de130565c3007ac1e196aa1b6d7f7c6bc039f33df5dd78b1
                                                                                                              • Instruction Fuzzy Hash: 5EF05BB1940314EFDB106F749909B6B77ACEF46701F404955E909D3140E770D5149BD1
                                                                                                              Function 02C14030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C14035
                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02C14042
                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02C14049
                                                                                                              • std::exception::exception.LIBCMT ref: 02C14063
                                                                                                                • Part of subcall function 02C1A601: __EH_prolog.LIBCMT ref: 02C1A606
                                                                                                                • Part of subcall function 02C1A601: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C1A615
                                                                                                                • Part of subcall function 02C1A601: __CxxThrowException@8.LIBCMT ref: 02C1A634
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                                              • String ID: bad allocation
                                                                                                              • API String ID: 3112922283-2104205924
                                                                                                              • Opcode ID: e89155d982dcb80bcb824549ecf2e8fb70d199f591c0c73644af8408bf6b7265
                                                                                                              • Instruction ID: b2b314b206f2d1f968ecb7906fdc4dc27502d5303762bd355a02b2da99dd600a
                                                                                                              • Opcode Fuzzy Hash: e89155d982dcb80bcb824549ecf2e8fb70d199f591c0c73644af8408bf6b7265
                                                                                                              • Instruction Fuzzy Hash: 97F082F1D44209DBCB01EFE0C904BEFB778EB08305F804945E914A2240DB355218DF91
                                                                                                              Function 004036D0 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetStartupInfoA.KERNEL32(?), ref: 00403729
                                                                                                              • GetFileType.KERNEL32(00000800), ref: 004037CF
                                                                                                              • GetStdHandle.KERNEL32(-000000F6), ref: 00403828
                                                                                                              • GetFileType.KERNEL32(00000000), ref: 00403836
                                                                                                              • SetHandleCount.KERNEL32 ref: 0040386D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileHandleType$CountInfoStartup
                                                                                                              • String ID:
                                                                                                              • API String ID: 1710529072-0
                                                                                                              • Opcode ID: 1ce75c326bde2c2d02afe177aeb4995e441bbd179d01f1070c3041f2ee44749b
                                                                                                              • Instruction ID: 340931fb5571d0dd89e9413526c141aa1936fc067e7847d678db743c6b9c99aa
                                                                                                              • Opcode Fuzzy Hash: 1ce75c326bde2c2d02afe177aeb4995e441bbd179d01f1070c3041f2ee44749b
                                                                                                              • Instruction Fuzzy Hash: A65136B25003508BD7209F28CD48B563FE8EB01336F19C67AE492EB2E1C738C955C75A
                                                                                                              Function 02C21BC0 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02C21990: CloseHandle.KERNEL32(00000000,E0B1A480), ref: 02C219E1
                                                                                                                • Part of subcall function 02C21990: WaitForSingleObject.KERNEL32(?,000000FF,E0B1A480,?,?,?,?,E0B1A480,02C21963,E0B1A480), ref: 02C219F8
                                                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C21C5E
                                                                                                              • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C21C7E
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02C21CB7
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02C21D0B
                                                                                                              • SetEvent.KERNEL32(?), ref: 02C21D12
                                                                                                                • Part of subcall function 02C1418C: CloseHandle.KERNEL32(00000000,?,02C21C45), ref: 02C141B0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 4166353394-0
                                                                                                              • Opcode ID: 6bb425d74876361e77166b24eb45c591c668d661324e6d02a41e3c9a3891cd31
                                                                                                              • Instruction ID: e5d6e27ccc55c784507a04753aa52a24d265c01a1ac66b41b7f21c7655c23f6c
                                                                                                              • Opcode Fuzzy Hash: 6bb425d74876361e77166b24eb45c591c668d661324e6d02a41e3c9a3891cd31
                                                                                                              • Instruction Fuzzy Hash: 7441F2706407218BDB26CF28CC80B17B7A4EF85724F280668EC18DB292DB75D9198BE5
                                                                                                              Function 02C1207F Relevance: 7.6, APIs: 5, Instructions: 98timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C120AC
                                                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02C120CD
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C120D8
                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 02C1213E
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C121A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                                              • String ID:
                                                                                                              • API String ID: 1611172436-0
                                                                                                              • Opcode ID: 917ff0752b8ced50c607b18f0b4fbf8d1355d980b5985926ea1d149bbb38893c
                                                                                                              • Instruction ID: 53a6acfc0c1218897ba6dd51fc990ca33aca0978da6e5ad25ae3c15cc4291e9d
                                                                                                              • Opcode Fuzzy Hash: 917ff0752b8ced50c607b18f0b4fbf8d1355d980b5985926ea1d149bbb38893c
                                                                                                              • Instruction Fuzzy Hash: 3C31AB765047019FC320DF25D886A6BF7F9EFC9614F140A1EF89683250D730E90AEB92
                                                                                                              Function 02C1E02F Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C1E034
                                                                                                                • Part of subcall function 02C11A01: TlsGetValue.KERNEL32 ref: 02C11A0A
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C1E0B3
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C1E0CF
                                                                                                              • InterlockedIncrement.KERNEL32(02C45180), ref: 02C1E0F4
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C1E109
                                                                                                                • Part of subcall function 02C127F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02C1284E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                                              • String ID:
                                                                                                              • API String ID: 1578506061-0
                                                                                                              • Opcode ID: 5adc65d60c2a97dea7f7a1eda64d56c1b5f848c094cab46b5acb3a5e536129e2
                                                                                                              • Instruction ID: b1806505516acf630d90efadc392f3ba0cd292868d91f5032c0640cc22a210df
                                                                                                              • Opcode Fuzzy Hash: 5adc65d60c2a97dea7f7a1eda64d56c1b5f848c094cab46b5acb3a5e536129e2
                                                                                                              • Instruction Fuzzy Hash: 4D3169B1C01604DFCB10DFA8C545AAEBBF8BF09310F14895ED849D7640E734A604EFA0
                                                                                                              Function 02C302E4 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 02C302F0
                                                                                                                • Part of subcall function 02C22EEC: __FF_MSGBANNER.LIBCMT ref: 02C22F03
                                                                                                                • Part of subcall function 02C22EEC: __NMSG_WRITE.LIBCMT ref: 02C22F0A
                                                                                                                • Part of subcall function 02C22EEC: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001), ref: 02C22F2F
                                                                                                              • _free.LIBCMT ref: 02C30303
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap_free_malloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 1020059152-0
                                                                                                              • Opcode ID: 4a85a495bbecc07b640de0641e8e1d214e5f686570b546c24871aee2526768b4
                                                                                                              • Instruction ID: 9593e9ac4e4e5afd89451a34682ab03c81270a9bc2bc67040528a38d0886f582
                                                                                                              • Opcode Fuzzy Hash: 4a85a495bbecc07b640de0641e8e1d214e5f686570b546c24871aee2526768b4
                                                                                                              • Instruction Fuzzy Hash: DF11E573908635ABDB663F70AD08B6B3799EF443B0F104E25F94E9A190DF348554EAD0
                                                                                                              Function 02C121D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C121DA
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C121ED
                                                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02C12224
                                                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02C12237
                                                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C12261
                                                                                                                • Part of subcall function 02C12341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C12350
                                                                                                                • Part of subcall function 02C12341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C12360
                                                                                                                • Part of subcall function 02C12341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C12370
                                                                                                                • Part of subcall function 02C12341: GetLastError.KERNEL32 ref: 02C1237A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1856819132-0
                                                                                                              • Opcode ID: b2f18e1450c3e22d2219a7b683d56d5a38702413c9f00ed368624f78f1aa2eec
                                                                                                              • Instruction ID: ffb50d7edb57c0df7a84119792e066e2dece0334c84a3cdebcd112d466e5d1e7
                                                                                                              • Opcode Fuzzy Hash: b2f18e1450c3e22d2219a7b683d56d5a38702413c9f00ed368624f78f1aa2eec
                                                                                                              • Instruction Fuzzy Hash: F411B1B5D04128DBCB15AFA4D805AAEFFBAFF45360F004A1AEC1592260D7714655EB81
                                                                                                              Function 02C12298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C1229D
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C122B0
                                                                                                              • TlsGetValue.KERNEL32 ref: 02C122E7
                                                                                                              • TlsSetValue.KERNEL32(?), ref: 02C12300
                                                                                                              • TlsSetValue.KERNEL32(?,?,?), ref: 02C1231C
                                                                                                                • Part of subcall function 02C12341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C12350
                                                                                                                • Part of subcall function 02C12341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C12360
                                                                                                                • Part of subcall function 02C12341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C12370
                                                                                                                • Part of subcall function 02C12341: GetLastError.KERNEL32 ref: 02C1237A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1856819132-0
                                                                                                              • Opcode ID: cf392a10c18a6843f7e0bc81a6014b67aa6ad1e79b414df535d6b002f2295976
                                                                                                              • Instruction ID: f193bfbdccf4581368ed69a2d609763a15a2d930b421439a0e4a95fb491e4899
                                                                                                              • Opcode Fuzzy Hash: cf392a10c18a6843f7e0bc81a6014b67aa6ad1e79b414df535d6b002f2295976
                                                                                                              • Instruction Fuzzy Hash: 781160B5D00129DBCB11AFA5D844AAEFFBAFF49350F004A1AE804A3250DB714A55EF91
                                                                                                              Function 02C1BC49 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02C1B09C: __EH_prolog.LIBCMT ref: 02C1B0A1
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 02C1BC66
                                                                                                                • Part of subcall function 02C2449A: RaiseException.KERNEL32(?,?,02C1FA96,?,?,?,?,?,?,?,02C1FA96,?,02C40F78,?), ref: 02C244EF
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02C41D94,?,00000001), ref: 02C1BC7C
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C1BC8F
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02C41D94,?,00000001), ref: 02C1BC9F
                                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C1BCAD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 2725315915-0
                                                                                                              • Opcode ID: 61845ec0102626ab9f20013186bacf473d127f8aa413a1b910b8da3934f438ee
                                                                                                              • Instruction ID: ea64d8a98b76435debb678b2ee63de578505274537d10f4a2d1c6bf24d19aa11
                                                                                                              • Opcode Fuzzy Hash: 61845ec0102626ab9f20013186bacf473d127f8aa413a1b910b8da3934f438ee
                                                                                                              • Instruction Fuzzy Hash: F40186F2A40304AFDB109EB4DC89F86B7ADAB04359F044915F615D6190DB70E8099B50
                                                                                                              Function 02C12420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C12432
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C12445
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C12454
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C12469
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C12470
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 747265849-0
                                                                                                              • Opcode ID: d56d2ecbfe0db54fc4da441169e4b7d69f8cff4bd0bc4224aa2d391155c0b618
                                                                                                              • Instruction ID: 3224030edb6b333e13efb2b001b389cb40c2b80dda99426d01a404ba58d543c6
                                                                                                              • Opcode Fuzzy Hash: d56d2ecbfe0db54fc4da441169e4b7d69f8cff4bd0bc4224aa2d391155c0b618
                                                                                                              • Instruction Fuzzy Hash: 3FF01DB2640214BBD704ABA0ED4AF96B72CFB45711F804911F601D6480D771A624CBE1
                                                                                                              Function 02C11EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 02C11ED2
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02C11EEA
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C11EF9
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C11F0E
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C11F15
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 830998967-0
                                                                                                              • Opcode ID: a31e1d6f78782a1686f984a46ef79e9db594fc143479dde5948e5fef9ff4e3cb
                                                                                                              • Instruction ID: 4f70948e3718e73623e3367d99951ddb0bb02f4cae0df4c9cfaf68f639d64af2
                                                                                                              • Opcode Fuzzy Hash: a31e1d6f78782a1686f984a46ef79e9db594fc143479dde5948e5fef9ff4e3cb
                                                                                                              • Instruction Fuzzy Hash: CCF017B2641609BBDB00AFA1ED89FD6BB2CFF55351F000916F60186440DB75A629CBE1
                                                                                                              Function 02C20800 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 02C19A10: __EH_prolog.LIBCMT ref: 02C19A15
                                                                                                                • Part of subcall function 02C19A10: _Allocate.LIBCPMT ref: 02C19A6C
                                                                                                                • Part of subcall function 02C19A10: _memmove.LIBCMT ref: 02C19AC3
                                                                                                              • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02C208E2
                                                                                                              • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02C208EA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateErrorFormatH_prologLastMessage_memmove
                                                                                                              • String ID: Unknown error$invalid string position
                                                                                                              • API String ID: 1017912131-1837348584
                                                                                                              • Opcode ID: 6dc5bbb234b7cc8ca940d3e414052289e23b472725bff452f03dab1cc797a341
                                                                                                              • Instruction ID: eb9ad93b5d73ab7f9ae2bdf2f2e5e2440bf5d92c5becce98f4312f5ef16a9b1b
                                                                                                              • Opcode Fuzzy Hash: 6dc5bbb234b7cc8ca940d3e414052289e23b472725bff452f03dab1cc797a341
                                                                                                              • Instruction Fuzzy Hash: F251AC706483418FE714DF25C891B2FBBE4ABA8744F50092EF482A7691DB71E648CF96
                                                                                                              Function 02C18686 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: _memmove
                                                                                                              • String ID: invalid string position$string too long
                                                                                                              • API String ID: 4104443479-4289949731
                                                                                                              • Opcode ID: ac5b7bf378a57fcc8ceecde9cafcb86103bdd34c17e5d1f24767b3239ecd876a
                                                                                                              • Instruction ID: 63834b875e9256ae9cc287f1910ac7971fcc160778edd6a0b9f2b5a20c7f4d21
                                                                                                              • Opcode Fuzzy Hash: ac5b7bf378a57fcc8ceecde9cafcb86103bdd34c17e5d1f24767b3239ecd876a
                                                                                                              • Instruction Fuzzy Hash: 4F4193313043049FE724DE69D886A5ABBBAEF83754B100A2DF856CB781C770E945EBD0
                                                                                                              Function 02C130AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000), ref: 02C130C3
                                                                                                              • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02C13102
                                                                                                              • _memcmp.LIBCMT ref: 02C13141
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AddressErrorLastString_memcmp
                                                                                                              • String ID: 255.255.255.255
                                                                                                              • API String ID: 1618111833-2422070025
                                                                                                              • Opcode ID: 6f8f6ea564f8fc2dded8d4d58468ee0e87c646d495608568b4b0ed8623ffcec1
                                                                                                              • Instruction ID: 0675ad9384a31c0266b171f8760d7d24f0b36f099cfde2fb7943d8a3838522d4
                                                                                                              • Opcode Fuzzy Hash: 6f8f6ea564f8fc2dded8d4d58468ee0e87c646d495608568b4b0ed8623ffcec1
                                                                                                              • Instruction Fuzzy Hash: 7F31B771D00354DFDB209F64CC8276EB7A5BF86328F2045AAEC6557280DB719945DB90
                                                                                                              Function 02C11F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C11F5B
                                                                                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02C11FC5
                                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 02C11FD2
                                                                                                                • Part of subcall function 02C11712: __EH_prolog.LIBCMT ref: 02C11717
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                                              • String ID: iocp
                                                                                                              • API String ID: 998023749-976528080
                                                                                                              • Opcode ID: c891823be224c6afc727363ab1e98b9ccd70cd4384c259d30f14172b8aacabaa
                                                                                                              • Instruction ID: 06ce70d7fd37494cfb6e451ff7b0d02b115f9f27aaccf5401560b5a7f912b2d9
                                                                                                              • Opcode Fuzzy Hash: c891823be224c6afc727363ab1e98b9ccd70cd4384c259d30f14172b8aacabaa
                                                                                                              • Instruction Fuzzy Hash: E521D5B1901B449BC720DF6AC50055BFBF8FFA5720B108A1FD5A683A50D7B0A604DF91
                                                                                                              Function 02C23A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 02C23AA7
                                                                                                                • Part of subcall function 02C22EEC: __FF_MSGBANNER.LIBCMT ref: 02C22F03
                                                                                                                • Part of subcall function 02C22EEC: __NMSG_WRITE.LIBCMT ref: 02C22F0A
                                                                                                                • Part of subcall function 02C22EEC: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001), ref: 02C22F2F
                                                                                                              • std::exception::exception.LIBCMT ref: 02C23AC5
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 02C23ADA
                                                                                                                • Part of subcall function 02C2449A: RaiseException.KERNEL32(?,?,02C1FA96,?,?,?,?,?,?,?,02C1FA96,?,02C40F78,?), ref: 02C244EF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                              • String ID: bad allocation
                                                                                                              • API String ID: 3074076210-2104205924
                                                                                                              • Opcode ID: dff4819cfe0eeb2dbdcaebed997c2b6b8207fd8da75ffd7d2187a16f4366e863
                                                                                                              • Instruction ID: a8a6229d6b4aa9d030404b30991d6c2a369c23aa587e3c87e861aae8984abb2a
                                                                                                              • Opcode Fuzzy Hash: dff4819cfe0eeb2dbdcaebed997c2b6b8207fd8da75ffd7d2187a16f4366e863
                                                                                                              • Instruction Fuzzy Hash: F5E0A07054026AAADB00EAA0CC049AFB7A9AB00315F4009A1AC14A2180EF71870CA9A1
                                                                                                              Function 02C137B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C137B6
                                                                                                              • __localtime64.LIBCMT ref: 02C137C1
                                                                                                                • Part of subcall function 02C22540: __gmtime64_s.LIBCMT ref: 02C22553
                                                                                                              • std::exception::exception.LIBCMT ref: 02C137D9
                                                                                                                • Part of subcall function 02C22413: std::exception::_Copy_str.LIBCMT ref: 02C2242C
                                                                                                                • Part of subcall function 02C1A45F: __EH_prolog.LIBCMT ref: 02C1A464
                                                                                                                • Part of subcall function 02C1A45F: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C1A473
                                                                                                                • Part of subcall function 02C1A45F: __CxxThrowException@8.LIBCMT ref: 02C1A492
                                                                                                              Strings
                                                                                                              • could not convert calendar time to UTC time, xrefs: 02C137CE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                                              • String ID: could not convert calendar time to UTC time
                                                                                                              • API String ID: 1963798777-2088861013
                                                                                                              • Opcode ID: 786cb15ba0ed93eeef9708650c4151b5300704fcd75239b3b4b85ef0aa8d19f2
                                                                                                              • Instruction ID: a905b17d95eb6d0382af04619cd44c789b6f0bddd6e85d4dc4cdc08aaaf78b71
                                                                                                              • Opcode Fuzzy Hash: 786cb15ba0ed93eeef9708650c4151b5300704fcd75239b3b4b85ef0aa8d19f2
                                                                                                              • Instruction Fuzzy Hash: 94E06DF1D0021A9BCB01EF94D9057EEB779EF04304F4049A9D825A2140EB745619EE95
                                                                                                              Function 00403E3A Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(?,00008000,00004000,74DEDFF0,?,00000000), ref: 00404092
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004040ED
                                                                                                              • HeapFree.KERNEL32(00000000,?), ref: 004040FF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Free$Virtual$Heap
                                                                                                              • String ID: -@
                                                                                                              • API String ID: 2016334554-2999422947
                                                                                                              • Opcode ID: 9c389c61e5a6cd43db9238f188d86346d40478f5c1fa1013f45f36ce2e9b1707
                                                                                                              • Instruction ID: d55dda63c6158a3f001c35490e62a79414290c04420ce97baa52a0c06dad31a7
                                                                                                              • Opcode Fuzzy Hash: 9c389c61e5a6cd43db9238f188d86346d40478f5c1fa1013f45f36ce2e9b1707
                                                                                                              • Instruction Fuzzy Hash: D1B16C75A00205DFDB24CF04CA90AA9BBB1FB88314F24C1AED9196F396C735EE41CB84
                                                                                                              Function 02C2C329 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AdjustPointer_memmove
                                                                                                              • String ID:
                                                                                                              • API String ID: 1721217611-0
                                                                                                              • Opcode ID: 1db1966d39bbb53263745c83219e087a343877e89d8f5a417045e3ef6b910b95
                                                                                                              • Instruction ID: 34ef0cfcb0690f4cb9ed610e37d68f138687c91617ad3d1b4b1112e749432397
                                                                                                              • Opcode Fuzzy Hash: 1db1966d39bbb53263745c83219e087a343877e89d8f5a417045e3ef6b910b95
                                                                                                              • Instruction Fuzzy Hash: 8341C4372047139EEB295F65D840B7F33A69F41324F26481FE849861E0DF72E789DA11
                                                                                                              Function 02C21260 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02C14149), ref: 02C212FF
                                                                                                                • Part of subcall function 02C13FDC: __EH_prolog.LIBCMT ref: 02C13FE1
                                                                                                                • Part of subcall function 02C13FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02C13FF3
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C212F4
                                                                                                              • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02C14149), ref: 02C21340
                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02C14149), ref: 02C21411
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle$Event$CreateH_prolog
                                                                                                              • String ID:
                                                                                                              • API String ID: 2825413587-0
                                                                                                              • Opcode ID: a133d4e4ba229ca465633cc57573e1ac0854c9bb780a55cb02a4c3240a8afdbf
                                                                                                              • Instruction ID: 275f08dbc66a6ea26c61c013ecbc3c064d36bb09973c36bbfa6dc85584cd3824
                                                                                                              • Opcode Fuzzy Hash: a133d4e4ba229ca465633cc57573e1ac0854c9bb780a55cb02a4c3240a8afdbf
                                                                                                              • Instruction Fuzzy Hash: 8751EFB16003558BDF21DF28C984B9AB7E5BF88328F190628F86D97381DB75D909CF81
                                                                                                              Function 02C236F0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                              • String ID:
                                                                                                              • API String ID: 2782032738-0
                                                                                                              • Opcode ID: acdac2ea7175f400f5f91947118356792f48efd8ea4696cdf33623925e283fbc
                                                                                                              • Instruction ID: 64bc7a9879348395705a036bed9790e84b776c46e6d64cd6645378a0efe0c627
                                                                                                              • Opcode Fuzzy Hash: acdac2ea7175f400f5f91947118356792f48efd8ea4696cdf33623925e283fbc
                                                                                                              • Instruction Fuzzy Hash: A34118B5B007A59BDF18CF69C9805AE77A6EF80764B1081BEE815CB240DF78DE49CB40
                                                                                                              Function 02C2FE55 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C2FE8B
                                                                                                              • __isleadbyte_l.LIBCMT ref: 02C2FEB9
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02C2FEE7
                                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02C2FF1D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                              • String ID:
                                                                                                              • API String ID: 3058430110-0
                                                                                                              • Opcode ID: 6089f040f97c99eba8188934aa4effe078c28d58545ad1ff8925ddebd816a2a4
                                                                                                              • Instruction ID: 5ac3f9b6531f52fb26e84ada3e77abac8e2c6a38bd56c1065c529d1ec5809f14
                                                                                                              • Opcode Fuzzy Hash: 6089f040f97c99eba8188934aa4effe078c28d58545ad1ff8925ddebd816a2a4
                                                                                                              • Instruction Fuzzy Hash: E031E4316002AEAFEB22CE35CC44BAA7BF9FF81314F15452CE85887591DB31D959DB90
                                                                                                              Function 004047B2 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualFree.KERNEL32(FFFFFFFF,00001000,00004000,74DEDFF0,?,00000000,?,-@,0040490E,00000010,00402FA3,?,?), ref: 004047F0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeVirtual
                                                                                                              • String ID: -@$r@$r@
                                                                                                              • API String ID: 1263568516-1251997348
                                                                                                              • Opcode ID: db728298b98a3dab2ecdb4dab480861bd9016d5beafec50a15f5b98851f5bcbc
                                                                                                              • Instruction ID: a63ca1888fca441bf056fbcf5d5deb39584b298cc2094c54b415f4e68fc1e946
                                                                                                              • Opcode Fuzzy Hash: db728298b98a3dab2ecdb4dab480861bd9016d5beafec50a15f5b98851f5bcbc
                                                                                                              • Instruction Fuzzy Hash: EE21A1B66003419BDB20AB24DD4476633A4EB81379F24CA3BDB65B66D0D378E941CB58
                                                                                                              Function 02C13D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • htons.WS2_32(?), ref: 02C13DA2
                                                                                                                • Part of subcall function 02C13BD3: __EH_prolog.LIBCMT ref: 02C13BD8
                                                                                                                • Part of subcall function 02C13BD3: std::bad_exception::bad_exception.LIBCMT ref: 02C13BED
                                                                                                              • htonl.WS2_32(00000000), ref: 02C13DB9
                                                                                                              • htonl.WS2_32(00000000), ref: 02C13DC0
                                                                                                              • htons.WS2_32(?), ref: 02C13DD4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                                              • String ID:
                                                                                                              • API String ID: 3882411702-0
                                                                                                              • Opcode ID: bb6a7d3a54ced88f4c7ae055dc9fdacfe57915ef2f9f3c42d7c24f94c06ab5ad
                                                                                                              • Instruction ID: d8a3f390c277466daed7a12f60a585f2f062931d4437c6aa047d9b96f05dc3c1
                                                                                                              • Opcode Fuzzy Hash: bb6a7d3a54ced88f4c7ae055dc9fdacfe57915ef2f9f3c42d7c24f94c06ab5ad
                                                                                                              • Instruction Fuzzy Hash: 2811A576910249EFCF019F64D886A9AB7B9FF49314F008896FC08DF205D771DA14DBA1
                                                                                                              Function 02C1239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02C123D0
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C123DE
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C12401
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C12408
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 4018804020-0
                                                                                                              • Opcode ID: e55bb3674da87e983ef5c920d9d1c513fcd14edd81839f51a15b5a6281037863
                                                                                                              • Instruction ID: 3732f549c54a414d5ebc272c63949b4c3dfa2ea22ce6d66ee3da9a534c854569
                                                                                                              • Opcode Fuzzy Hash: e55bb3674da87e983ef5c920d9d1c513fcd14edd81839f51a15b5a6281037863
                                                                                                              • Instruction Fuzzy Hash: 5111E175600304ABDB20DF60D986B66BBB8FF82705F10486DF9019B140E7B1FA15EFA1
                                                                                                              Function 02C2C77B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                              • String ID:
                                                                                                              • API String ID: 3016257755-0
                                                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                              • Instruction ID: e359eecb55b17d247c531ba0523e728e448118b55106990e5fb0f0c89eff37c7
                                                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                              • Instruction Fuzzy Hash: 10010B7200055EBBCF126E84CC418EE3F66BB58758F4A8416FA1899131DB36C7B5EB81
                                                                                                              Function 02C1247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C124A9
                                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 02C124B8
                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 02C124CD
                                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 02C124D4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 4018804020-0
                                                                                                              • Opcode ID: 0ff7acd9946776d18a57f82d39809ab4959bbde354e192dede92a1950f8ef4b3
                                                                                                              • Instruction ID: b75c5bd31730dd2e3457092c4488f89fffa365ebc22ae253c3407245ff2e660e
                                                                                                              • Opcode Fuzzy Hash: 0ff7acd9946776d18a57f82d39809ab4959bbde354e192dede92a1950f8ef4b3
                                                                                                              • Instruction Fuzzy Hash: 73F03CB2540209AFDB00AF69E845F9ABBACFF55711F004519FA05C6141D771E564CFA1
                                                                                                              Function 02C12004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C12009
                                                                                                              • RtlDeleteCriticalSection.NTDLL(?), ref: 02C12028
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C12037
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02C1204E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                                              • String ID:
                                                                                                              • API String ID: 2456309408-0
                                                                                                              • Opcode ID: 7c4deac6b0fa86909aa963ea6c2d12ade2f4992ef0c22482234c20af2764dd22
                                                                                                              • Instruction ID: 4506280a548a0905ecef365a31f5ebeb687eec66c876cec9447169c1efbc5917
                                                                                                              • Opcode Fuzzy Hash: 7c4deac6b0fa86909aa963ea6c2d12ade2f4992ef0c22482234c20af2764dd22
                                                                                                              • Instruction Fuzzy Hash: 8701ADB18006188BC325AF64E908BAAB7F4FF05704F004E5DE84682590CB746649EF91
                                                                                                              Function 02C11E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Event$H_prologSleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 1765829285-0
                                                                                                              • Opcode ID: b03a4105ede0dee349494cbd29ad75cd9f832136f5fd0e7719745ccedad78be8
                                                                                                              • Instruction ID: 8c7a520e13ca432227603332b3152bb04e4e1aab488c9723f1f118adf0d9083b
                                                                                                              • Opcode Fuzzy Hash: b03a4105ede0dee349494cbd29ad75cd9f832136f5fd0e7719745ccedad78be8
                                                                                                              • Instruction Fuzzy Hash: E4F05E76640110EFCB009FA4D8C8B88BBA4FF0D321F508AA9FA19DB290C7759854DBA1
                                                                                                              Function 02C19E8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog_memmove
                                                                                                              • String ID: &'
                                                                                                              • API String ID: 3529519853-655172784
                                                                                                              • Opcode ID: 1cf59bd9be941062d6c5f24381ad0ec1cc26b8a1243353167be9a7c68eb27e11
                                                                                                              • Instruction ID: 941f622dba56032346bbf0a4d2aab0410315a6c81fe1ce35711f1dd951a0990e
                                                                                                              • Opcode Fuzzy Hash: 1cf59bd9be941062d6c5f24381ad0ec1cc26b8a1243353167be9a7c68eb27e11
                                                                                                              • Instruction Fuzzy Hash: 8E61A071D01218DFDF20DFA4C952AEDFBB6AF4A310F10816AD509AB180D7719A05EFA1
                                                                                                              Function 00404EBD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCPInfo.KERNEL32(?,00000000), ref: 00404ED1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Info
                                                                                                              • String ID: $
                                                                                                              • API String ID: 1807457897-3032137957
                                                                                                              • Opcode ID: ade2e129719512a706aeac876f0a8c01095c6a06ec5d81e25aee3eb1febfb5f9
                                                                                                              • Instruction ID: e64d793a5bd47a750bf71bc710b27f1b951018593c94bf49e3c2bba34da37a12
                                                                                                              • Opcode Fuzzy Hash: ade2e129719512a706aeac876f0a8c01095c6a06ec5d81e25aee3eb1febfb5f9
                                                                                                              • Instruction Fuzzy Hash: 1D416B710142985EEB169714CE59FEB3FE8EB02704F1404F6DA49F61D2C2794924DBBB
                                                                                                              Function 02C195A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02C1830A,?,?,00000000), ref: 02C19607
                                                                                                              • getsockname.WS2_32(?,?,?), ref: 02C1961D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastgetsockname
                                                                                                              • String ID: &'
                                                                                                              • API String ID: 566540725-655172784
                                                                                                              • Opcode ID: 273464d1173f61a586dfdd8b951a6228543dfe8eed68f61d2c44ff62a3bdb0e0
                                                                                                              • Instruction ID: 206de3bbc266ecab863cd20277c61ffee86a55a5ef26bcbe6e4255adfcc705e0
                                                                                                              • Opcode Fuzzy Hash: 273464d1173f61a586dfdd8b951a6228543dfe8eed68f61d2c44ff62a3bdb0e0
                                                                                                              • Instruction Fuzzy Hash: 00215172A00208DBDB10DF68D845ACEBBF5FF49324F10856AE919EB280DB35A9459B50
                                                                                                              Function 02C1CBE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C1CBEB
                                                                                                                • Part of subcall function 02C1D1C7: std::exception::exception.LIBCMT ref: 02C1D1F6
                                                                                                                • Part of subcall function 02C1D97D: __EH_prolog.LIBCMT ref: 02C1D982
                                                                                                                • Part of subcall function 02C23A8F: _malloc.LIBCMT ref: 02C23AA7
                                                                                                                • Part of subcall function 02C1D226: __EH_prolog.LIBCMT ref: 02C1D22B
                                                                                                              Strings
                                                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C1CC28
                                                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02C1CC21
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                                              • API String ID: 1953324306-1943798000
                                                                                                              • Opcode ID: 5726f5232032b3a4395c5b5b186deecb50c90f7ac10ed30a8c21257740903312
                                                                                                              • Instruction ID: a99bbc948bd41fa94de4cf266ee3b90fa06d6b730f8e772057c79899c674e3f0
                                                                                                              • Opcode Fuzzy Hash: 5726f5232032b3a4395c5b5b186deecb50c90f7ac10ed30a8c21257740903312
                                                                                                              • Instruction Fuzzy Hash: BB21ADB1E00254DBDB14EFE8E955AEEBBB9EF55304F00055EE806AB280DB705A48EF51
                                                                                                              Function 02C1CCDB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C1CCE0
                                                                                                                • Part of subcall function 02C1D29E: std::exception::exception.LIBCMT ref: 02C1D2CB
                                                                                                                • Part of subcall function 02C1DAB4: __EH_prolog.LIBCMT ref: 02C1DAB9
                                                                                                                • Part of subcall function 02C23A8F: _malloc.LIBCMT ref: 02C23AA7
                                                                                                                • Part of subcall function 02C1D2FB: __EH_prolog.LIBCMT ref: 02C1D300
                                                                                                              Strings
                                                                                                              • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C1CD1D
                                                                                                              • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02C1CD16
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$_mallocstd::exception::exception
                                                                                                              • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                                              • API String ID: 1953324306-412195191
                                                                                                              • Opcode ID: ec46454e662d725cad898504a232bd8c6b69392f7c989e1ac09674ab7817ab87
                                                                                                              • Instruction ID: 9587a2f0b206584098f879f6ad1b144889431f6e1b9191536966f75323f38053
                                                                                                              • Opcode Fuzzy Hash: ec46454e662d725cad898504a232bd8c6b69392f7c989e1ac09674ab7817ab87
                                                                                                              • Instruction Fuzzy Hash: 4921B5B5E00298DBDB18EFE8D555BEEBBB5EF45304F00055DE806A7280DB705A48EF91
                                                                                                              Function 02C1534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _malloc.LIBCMT ref: 02C1535D
                                                                                                                • Part of subcall function 02C22EEC: __FF_MSGBANNER.LIBCMT ref: 02C22F03
                                                                                                                • Part of subcall function 02C22EEC: __NMSG_WRITE.LIBCMT ref: 02C22F0A
                                                                                                                • Part of subcall function 02C22EEC: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001), ref: 02C22F2F
                                                                                                              • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02C1536F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                                                              • String ID: \save.dat
                                                                                                              • API String ID: 4128168839-3580179773
                                                                                                              • Opcode ID: 68c6f7158b6e4dbcead40a7737ca3a0709b4773217eae6b2771147c5f184e33c
                                                                                                              • Instruction ID: 874c0855247c417307cc0a70b29aa167c5ac7b81d76780058fed204dc487371c
                                                                                                              • Opcode Fuzzy Hash: 68c6f7158b6e4dbcead40a7737ca3a0709b4773217eae6b2771147c5f184e33c
                                                                                                              • Instruction Fuzzy Hash: C01190729042502FDB22DE258C81D6FFF6BDFC3650B5005EDE84967201DAB30E06D6A0
                                                                                                              Function 02C13965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C1396A
                                                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02C139C1
                                                                                                                • Part of subcall function 02C11410: std::exception::exception.LIBCMT ref: 02C11428
                                                                                                                • Part of subcall function 02C1A555: __EH_prolog.LIBCMT ref: 02C1A55A
                                                                                                                • Part of subcall function 02C1A555: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C1A569
                                                                                                                • Part of subcall function 02C1A555: __CxxThrowException@8.LIBCMT ref: 02C1A588
                                                                                                              Strings
                                                                                                              • Day of month is not valid for year, xrefs: 02C139AC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                              • String ID: Day of month is not valid for year
                                                                                                              • API String ID: 1404951899-1521898139
                                                                                                              • Opcode ID: 27df1b4fcf4749d6542e517a057cfd80720f6e7361ca2480de61fc30b1238d1d
                                                                                                              • Instruction ID: 368d1134931134e555de5fd36d779ce7af23eea06addbc548d69dae46b5e497c
                                                                                                              • Opcode Fuzzy Hash: 27df1b4fcf4749d6542e517a057cfd80720f6e7361ca2480de61fc30b1238d1d
                                                                                                              • Instruction Fuzzy Hash: 8F01D876914209EADF05EFE4D802AEEB779FF19710F40441AFC0493300EB744A55EBA5
                                                                                                              Function 02C1B037 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • std::exception::exception.LIBCMT ref: 02C1FA4E
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 02C1FA63
                                                                                                                • Part of subcall function 02C23A8F: _malloc.LIBCMT ref: 02C23AA7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                              • String ID: bad allocation
                                                                                                              • API String ID: 4063778783-2104205924
                                                                                                              • Opcode ID: a72453f5aff88e8d27050062df01e3f6be3b415a279f76a2c116b533bb9b84d3
                                                                                                              • Instruction ID: 7da02bbe8d51ef376fb690257cc55b7da5dd91d9b81087484a94ff89e01495f2
                                                                                                              • Opcode Fuzzy Hash: a72453f5aff88e8d27050062df01e3f6be3b415a279f76a2c116b533bb9b84d3
                                                                                                              • Instruction Fuzzy Hash: 11F02EF060030D96DF04FA9489019AF73ECAB00315B800969E521E3581EF70EA0859D4
                                                                                                              Function 02C13C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C13C1B
                                                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02C13C30
                                                                                                                • Part of subcall function 02C223F7: std::exception::exception.LIBCMT ref: 02C22401
                                                                                                                • Part of subcall function 02C1A58E: __EH_prolog.LIBCMT ref: 02C1A593
                                                                                                                • Part of subcall function 02C1A58E: __CxxThrowException@8.LIBCMT ref: 02C1A5BC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                              • String ID: bad cast
                                                                                                              • API String ID: 1300498068-3145022300
                                                                                                              • Opcode ID: 7ba1d6e361ca08e7c3fefdc2da5f153f5c4cf03d989dcde94ab79156ad8d297d
                                                                                                              • Instruction ID: ff769f1d77c7ba1955d98b4e83477a6a12cf05705c6cc74b8e86e00a375f8599
                                                                                                              • Opcode Fuzzy Hash: 7ba1d6e361ca08e7c3fefdc2da5f153f5c4cf03d989dcde94ab79156ad8d297d
                                                                                                              • Instruction Fuzzy Hash: 3CF0E5729005048BC71ADF58D541AEAB779EF96315F0041AEED0A5B280CB72DA4AEAD1
                                                                                                              Function 02C138CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C138D2
                                                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02C138F1
                                                                                                                • Part of subcall function 02C11410: std::exception::exception.LIBCMT ref: 02C11428
                                                                                                                • Part of subcall function 02C188C3: _memmove.LIBCMT ref: 02C188E3
                                                                                                              Strings
                                                                                                              • Year is out of valid range: 1400..10000, xrefs: 02C138E0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                              • String ID: Year is out of valid range: 1400..10000
                                                                                                              • API String ID: 3258419250-2344417016
                                                                                                              • Opcode ID: fdd83ed5eed8fb3d9d4626ce42c9463b01e1a938bd6ebe1cc015913ea916b6a0
                                                                                                              • Instruction ID: abab2e6825047fdfe326a6b97b572419834bc2f40781b20b48397311cc6a9da3
                                                                                                              • Opcode Fuzzy Hash: fdd83ed5eed8fb3d9d4626ce42c9463b01e1a938bd6ebe1cc015913ea916b6a0
                                                                                                              • Instruction Fuzzy Hash: 31E092B2F4410497E715EF988812BDDBB79DB09B10F00095AE40667280DAB11904EB95
                                                                                                              Function 02C13881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C13886
                                                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02C138A5
                                                                                                                • Part of subcall function 02C11410: std::exception::exception.LIBCMT ref: 02C11428
                                                                                                                • Part of subcall function 02C188C3: _memmove.LIBCMT ref: 02C188E3
                                                                                                              Strings
                                                                                                              • Day of month value is out of range 1..31, xrefs: 02C13894
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                              • String ID: Day of month value is out of range 1..31
                                                                                                              • API String ID: 3258419250-1361117730
                                                                                                              • Opcode ID: 1648a80317e57459165304051aecd998e5c1e32f7263c82e721cfc6bb3c1533d
                                                                                                              • Instruction ID: c0453b8d8e64a6f6a1a33715fcf9b4d1db8ee277e8d3b0b32e9962ab1057192e
                                                                                                              • Opcode Fuzzy Hash: 1648a80317e57459165304051aecd998e5c1e32f7263c82e721cfc6bb3c1533d
                                                                                                              • Instruction Fuzzy Hash: D7E0D872F0410497E715AFD4CC12BDDBB79DB09B50F40095AE40573280DBF51904AFD5
                                                                                                              Function 02C13919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C1391E
                                                                                                              • std::runtime_error::runtime_error.LIBCPMT ref: 02C1393D
                                                                                                                • Part of subcall function 02C11410: std::exception::exception.LIBCMT ref: 02C11428
                                                                                                                • Part of subcall function 02C188C3: _memmove.LIBCMT ref: 02C188E3
                                                                                                              Strings
                                                                                                              • Month number is out of range 1..12, xrefs: 02C1392C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                              • String ID: Month number is out of range 1..12
                                                                                                              • API String ID: 3258419250-4198407886
                                                                                                              • Opcode ID: c0e3af39728677658f722dc1f1d0c8ca494b4f26c0c249116c9694b7eec17696
                                                                                                              • Instruction ID: de8c53455485a47ae46361d8946f2e9525013b040ce20c6f3427ffa95953dd4f
                                                                                                              • Opcode Fuzzy Hash: c0e3af39728677658f722dc1f1d0c8ca494b4f26c0c249116c9694b7eec17696
                                                                                                              • Instruction Fuzzy Hash: 2DE0D872F0410497E715BFD4CC12BEDBB79DB09B10F40095AE80563280DBF12904AFD5
                                                                                                              Function 02C119C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • TlsAlloc.KERNEL32 ref: 02C119CC
                                                                                                              • GetLastError.KERNEL32 ref: 02C119D9
                                                                                                                • Part of subcall function 02C11712: __EH_prolog.LIBCMT ref: 02C11717
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocErrorH_prologLast
                                                                                                              • String ID: tss
                                                                                                              • API String ID: 249634027-1638339373
                                                                                                              • Opcode ID: 37520c0c48897c7b5742f86853ea0c96bc74e9055c7bd81b1444472bbffb74f6
                                                                                                              • Instruction ID: 0da0e15a2fe497def8354988eb3b0a290f54e8b93c8a06749a100aa652cff7aa
                                                                                                              • Opcode Fuzzy Hash: 37520c0c48897c7b5742f86853ea0c96bc74e9055c7bd81b1444472bbffb74f6
                                                                                                              • Instruction Fuzzy Hash: E0E08671D042119BC3007B78D80918FBBA49A46230F108F66EDBD832D0EB3449149FC6
                                                                                                              Function 02C13BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __EH_prolog.LIBCMT ref: 02C13BD8
                                                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 02C13BED
                                                                                                                • Part of subcall function 02C223F7: std::exception::exception.LIBCMT ref: 02C22401
                                                                                                                • Part of subcall function 02C1A58E: __EH_prolog.LIBCMT ref: 02C1A593
                                                                                                                • Part of subcall function 02C1A58E: __CxxThrowException@8.LIBCMT ref: 02C1A5BC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2906247428.0000000002C11000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C11000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_2c11000_gerdaplay3se32_64.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                              • String ID: bad cast
                                                                                                              • API String ID: 1300498068-3145022300
                                                                                                              • Opcode ID: 80d0c10c2b0af0bafe53c9183e8188b9ce216a0ef47248ddba66958b9f21f437
                                                                                                              • Instruction ID: 113e153dbccea7ef45df7a45cc0c620e38d518d0ddfc02f91eae60596cfc1842
                                                                                                              • Opcode Fuzzy Hash: 80d0c10c2b0af0bafe53c9183e8188b9ce216a0ef47248ddba66958b9f21f437
                                                                                                              • Instruction Fuzzy Hash: 97E0DFB0900108DBC719EF54D642BFCB775EF15304F4080ACDD0A172C0CB319A15EE82
                                                                                                              Function 0040446C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 00404494
                                                                                                              • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044C8
                                                                                                              • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044E2
                                                                                                              • HeapFree.KERNEL32(00000000,?,?,00000000,00404234,?,?,?,00000100,?,00000000), ref: 004044F9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.2904696747.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                              • Associated: 00000002.00000002.2904696747.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_400000_gerdaplay3se32_64.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocHeap$FreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 3499195154-0
                                                                                                              • Opcode ID: 03264f3b7f6a3c24648121467edc173d78a87d9b85cb2d8b679f40e74ce8d20c
                                                                                                              • Instruction ID: 6532d2b8740b88ca5c68c93f46193dcc45771cdeba7f909f778517217a69801f
                                                                                                              • Opcode Fuzzy Hash: 03264f3b7f6a3c24648121467edc173d78a87d9b85cb2d8b679f40e74ce8d20c
                                                                                                              • Instruction Fuzzy Hash: 02113670200301AFC731CF29EE45A627BB5FB847207104A3AF252E65F0D775A866EF19